userguide: explain rule types and categorization - v10 #12411
Conversation
Add documentation about the rule types introduced by commit 2696fda. Add doc tags around code definitions that are referenced in the docs. Task #https://redmine.openinfosecfoundation.org/issues/7031
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12411 +/- ##
==========================================
- Coverage 80.63% 80.62% -0.02%
==========================================
Files 917 917
Lines 258687 258687
==========================================
- Hits 208601 208569 -32
- Misses 50086 50118 +32
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 24247 |
| A fake packet is then injected in the flow to finish up processing before ending it. | ||
|
|
||
| Those two types will be more documented soon (tracking | ||
| `#7424 <https://redmine.openinfosecfoundation.org/issues/7424>`_. |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| ``app_layer``, ``app_tx``, ``pkt``, ``stream`` and ``stream-pkt`` flows. | ||
|
|
There was a problem hiding this comment.
require_packet and require_stream can be seen as flags "need_packet" and "need_stream" in the engine analysis output
|
I think this is great. I added 2 minor comments. When they are addressed I think we're ready to merge and do any further updates incrementally. |
| (``ip_only``) | ||
| - Flow (if existing). Packets (if not part of a flow) | ||
| - Once per direction | ||
| - On IP addresses on the flow |
There was a problem hiding this comment.
A very minor thing but these rules are also sensitive to port numbers (you say that in the section below), so this should maybe say that data is inspected too (plus the protocol?)
There was a problem hiding this comment.
Good eyes for catching that. I may have to reword the other section, as ports don't affect rule types though, so I must think well on how to explain this...
+1 I think this is fantastic and covers all of my inputs from the earlier revisions. Thank you for all of the hard work and attention to detail that has gone into this!! |
|
Comments and conflicts addressed with #12487 |
Add documentation about the rule types introduced by commit 2696fda.
Add doc tags around code definitions that are referenced in the docs.
Task #https://redmine.openinfosecfoundation.org/issues/7031
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7031
Previous PR: #12209
Sharing as a Draft considering there's still one flowchart missing, we'll want to have it, before actually merging this work.
Compiled version of the doc can be seen at: https://suri-rtd-test.readthedocs.io/en/doc-sigtypes-et-properties-v10/rules/rule-types.html#detailed-flowcharts-sig-type
Describe changes:
flowbitssetandissetand impact on rule state-- move doc to last within the
Suricata Ruleschapter-- add more flowcharts to the end of the documents (now missing one for DE only)
-- add brief explanation about pseudo packet
-- add brief explanation for each rule
-- move some of the notes/ warnings to specific rule type subsection
-- add reference to each rule type subsections to the signature types table
-- add a reference to the Transactions devguide doc