Skip to content

Commit e94d4f1

Browse files
jufajardinijufajardini
committed
userguide: explain rule types and categorization
Add documentation about the rule types introduced by 2696fda. Add doc tags around code definitions that are referenced in the docs. Task #https://redmine.openinfosecfoundation.org/issues/7031
1 parent dcfd9be commit e94d4f1

File tree

8 files changed

+1157
-0
lines changed

8 files changed

+1157
-0
lines changed

doc/userguide/configuration/suricata-yaml.rst

+2
Original file line numberDiff line numberDiff line change
@@ -2577,6 +2577,8 @@ Engine analysis and profiling
25772577
Suricata offers several ways of analyzing performance of rules and the
25782578
engine itself.
25792579

2580+
.. _config:engine-analysis:
2581+
25802582
Engine-analysis
25812583
~~~~~~~~~~~~~~~
25822584

doc/userguide/rules/index.rst

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ Suricata Rules
44
.. toctree::
55

66
intro
7+
rule-types
78
meta
89
header-keywords
910
payload-keywords

doc/userguide/rules/intro/OverallAlgoHorizontal-20241127.png

73.1 KB
Loading

doc/userguide/rules/intro/RawFlowcharts/OverallAlgoHorizontal-20241127.drawio

+104
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" version="24.9.1">
2+
<diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">
3+
<mxGraphModel dx="2261" dy="792" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
4+
<root>
5+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-0" />
6+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-1" parent="WIyWlLk6GJQsqaUBKTNV-0" />
7+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-4" value="No" style="rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;edgeStyle=orthogonalEdgeStyle;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="WIyWlLk6GJQsqaUBKTNV-10" edge="1">
8+
<mxGeometry y="20" relative="1" as="geometry">
9+
<mxPoint as="offset" />
10+
</mxGeometry>
11+
</mxCell>
12+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-5" value="No" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="2s8PCpyst4B-AYq6nZVi-2" target="WIyWlLk6GJQsqaUBKTNV-7" edge="1">
13+
<mxGeometry x="0.0039" y="15" relative="1" as="geometry">
14+
<mxPoint as="offset" />
15+
<mxPoint x="-120" y="220" as="sourcePoint" />
16+
<Array as="points">
17+
<mxPoint x="-120" y="195" />
18+
</Array>
19+
</mxGeometry>
20+
</mxCell>
21+
<mxCell id="2s8PCpyst4B-AYq6nZVi-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="2s8PCpyst4B-AYq6nZVi-2" edge="1">
22+
<mxGeometry relative="1" as="geometry">
23+
<mxPoint x="-120" y="200" as="targetPoint" />
24+
<Array as="points">
25+
<mxPoint x="-120" y="360" />
26+
<mxPoint x="-120" y="360" />
27+
</Array>
28+
</mxGeometry>
29+
</mxCell>
30+
<mxCell id="YKtqplUdx_BT4Hee0G-G-2" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;fontStyle=0" vertex="1" connectable="0" parent="2s8PCpyst4B-AYq6nZVi-1">
31+
<mxGeometry x="-0.05" y="-3" relative="1" as="geometry">
32+
<mxPoint x="17" as="offset" />
33+
</mxGeometry>
34+
</mxCell>
35+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-6" value="Is IpOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
36+
<mxGeometry x="-170" y="390" width="100" height="80" as="geometry" />
37+
</mxCell>
38+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-7" value="&lt;span&gt;IP Only&lt;/span&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
39+
<mxGeometry x="213.5" y="160" width="91" height="70" as="geometry" />
40+
</mxCell>
41+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-8" value="No" style="rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;edgeStyle=orthogonalEdgeStyle;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="WIyWlLk6GJQsqaUBKTNV-11" edge="1">
42+
<mxGeometry x="0.3333" y="20" relative="1" as="geometry">
43+
<mxPoint as="offset" />
44+
</mxGeometry>
45+
</mxCell>
46+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-9" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="WIyWlLk6GJQsqaUBKTNV-12" edge="1">
47+
<mxGeometry x="-0.0769" y="20" relative="1" as="geometry">
48+
<mxPoint as="offset" />
49+
</mxGeometry>
50+
</mxCell>
51+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-10" value="Is DEOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
52+
<mxGeometry y="390" width="100" height="80" as="geometry" />
53+
</mxCell>
54+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-11" value="Handle &lt;span&gt;&#39;Packet&#39;&lt;/span&gt;, &lt;span&gt;&#39;Stream&#39;&lt;/span&gt;, &#39;&lt;span&gt;AppLayer&#39;&lt;/span&gt; and &lt;span&gt;&#39;AppLayer Transaction&#39;&lt;/span&gt; rule types" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
55+
<mxGeometry x="163.5" y="375" width="191" height="110" as="geometry" />
56+
</mxCell>
57+
<mxCell id="WIyWlLk6GJQsqaUBKTNV-12" value="&lt;span&gt;Decoder Events Only&lt;/span&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
58+
<mxGeometry x="-30" y="535" width="160" height="55" as="geometry" />
59+
</mxCell>
60+
<mxCell id="3Z0NyFf9CSu-jNyiQ6yW-0" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="3Z0NyFf9CSu-jNyiQ6yW-1" target="3Z0NyFf9CSu-jNyiQ6yW-2" edge="1">
61+
<mxGeometry x="-0.0769" y="20" relative="1" as="geometry">
62+
<mxPoint as="offset" />
63+
</mxGeometry>
64+
</mxCell>
65+
<mxCell id="3Z0NyFf9CSu-jNyiQ6yW-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="3Z0NyFf9CSu-jNyiQ6yW-1" target="WIyWlLk6GJQsqaUBKTNV-6" edge="1">
66+
<mxGeometry relative="1" as="geometry" />
67+
</mxCell>
68+
<mxCell id="3Z0NyFf9CSu-jNyiQ6yW-4" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="3Z0NyFf9CSu-jNyiQ6yW-3" vertex="1" connectable="0">
69+
<mxGeometry x="-0.1667" relative="1" as="geometry">
70+
<mxPoint y="-20" as="offset" />
71+
</mxGeometry>
72+
</mxCell>
73+
<mxCell id="3Z0NyFf9CSu-jNyiQ6yW-1" value="Is IPDOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
74+
<mxGeometry x="-340" y="390" width="100" height="80" as="geometry" />
75+
</mxCell>
76+
<mxCell id="3Z0NyFf9CSu-jNyiQ6yW-2" value="&lt;span&gt;Protocol Detection Only&lt;/span&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
77+
<mxGeometry x="-370" y="535" width="160" height="65" as="geometry" />
78+
</mxCell>
79+
<mxCell id="3Z0NyFf9CSu-jNyiQ6yW-10" value="&lt;div&gt;&lt;span&gt;Like IP Only&lt;/span&gt;&lt;br&gt;(has negated address(es))&lt;br&gt;&lt;/div&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
80+
<mxGeometry x="183.5" y="260" width="151" height="70" as="geometry" />
81+
</mxCell>
82+
<mxCell id="2s8PCpyst4B-AYq6nZVi-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="2s8PCpyst4B-AYq6nZVi-2" target="3Z0NyFf9CSu-jNyiQ6yW-10" edge="1">
83+
<mxGeometry relative="1" as="geometry">
84+
<Array as="points" />
85+
</mxGeometry>
86+
</mxCell>
87+
<mxCell id="2s8PCpyst4B-AYq6nZVi-4" value="&lt;div&gt;Yes&lt;br&gt;&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="2s8PCpyst4B-AYq6nZVi-3" vertex="1" connectable="0">
88+
<mxGeometry x="-0.4" relative="1" as="geometry">
89+
<mxPoint y="-20" as="offset" />
90+
</mxGeometry>
91+
</mxCell>
92+
<mxCell id="2s8PCpyst4B-AYq6nZVi-2" value="&lt;div&gt;Contains&lt;/div&gt;&lt;div&gt;Negated&lt;/div&gt;&lt;div&gt;Address?&lt;/div&gt;" style="rhombus;html=1;fontSize=16;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
93+
<mxGeometry x="-190" y="240" width="140" height="110" as="geometry" />
94+
</mxCell>
95+
<mxCell id="YKtqplUdx_BT4Hee0G-G-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;shadow=1;fontStyle=0" edge="1" parent="WIyWlLk6GJQsqaUBKTNV-1" source="YKtqplUdx_BT4Hee0G-G-0" target="3Z0NyFf9CSu-jNyiQ6yW-1">
96+
<mxGeometry relative="1" as="geometry" />
97+
</mxCell>
98+
<mxCell id="YKtqplUdx_BT4Hee0G-G-0" value="Signature" style="shape=parallelogram;html=1;strokeWidth=1;perimeter=parallelogramPerimeter;whiteSpace=wrap;rounded=1;arcSize=12;size=0.23;fontSize=16;shadow=1;fontStyle=0" vertex="1" parent="WIyWlLk6GJQsqaUBKTNV-1">
99+
<mxGeometry x="-345" y="230" width="110" height="60" as="geometry" />
100+
</mxCell>
101+
</root>
102+
</mxGraphModel>
103+
</diagram>
104+
</mxfile>

0 commit comments

Comments
 (0)