userguide: explain rule types and categorization - v9

doc/userguide/configuration/suricata-yaml.rst

@@ -2577,6 +2577,8 @@ Engine analysis and profiling
 Suricata offers several ways of analyzing performance of rules and the
 engine itself.
 
+.. _config:engine-analysis:
+
 Engine-analysis
 ~~~~~~~~~~~~~~~
 

doc/userguide/rules/index.rst

@@ -4,6 +4,7 @@ Suricata Rules
 .. toctree::
 
    intro
+   rule-types
    meta
    header-keywords
    payload-keywords

doc/userguide/rules/intro/RawFlowcharts/OverallAlgoHorizontal-20241127.drawio

@@ -0,0 +1,104 @@
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" version="24.9.1">
+  <diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">
+    <mxGraphModel dx="2261" dy="792" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+      <root>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-0" />
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-1" parent="WIyWlLk6GJQsqaUBKTNV-0" />
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-4" value="No" style="rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;edgeStyle=orthogonalEdgeStyle;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="WIyWlLk6GJQsqaUBKTNV-10" edge="1">
+          <mxGeometry y="20" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-5" value="No" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="2s8PCpyst4B-AYq6nZVi-2" target="WIyWlLk6GJQsqaUBKTNV-7" edge="1">
+          <mxGeometry x="0.0039" y="15" relative="1" as="geometry">
+            <mxPoint as="offset" />
+            <mxPoint x="-120" y="220" as="sourcePoint" />
+            <Array as="points">
+              <mxPoint x="-120" y="195" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="2s8PCpyst4B-AYq6nZVi-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="2s8PCpyst4B-AYq6nZVi-2" edge="1">
+          <mxGeometry relative="1" as="geometry">
+            <mxPoint x="-120" y="200" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="-120" y="360" />
+              <mxPoint x="-120" y="360" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="YKtqplUdx_BT4Hee0G-G-2" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;fontStyle=0" vertex="1" connectable="0" parent="2s8PCpyst4B-AYq6nZVi-1">
+          <mxGeometry x="-0.05" y="-3" relative="1" as="geometry">
+            <mxPoint x="17" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-6" value="Is IpOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="-170" y="390" width="100" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-7" value="&lt;span&gt;IP Only&lt;/span&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="213.5" y="160" width="91" height="70" as="geometry" />
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-8" value="No" style="rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;edgeStyle=orthogonalEdgeStyle;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="WIyWlLk6GJQsqaUBKTNV-11" edge="1">
+          <mxGeometry x="0.3333" y="20" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-9" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="WIyWlLk6GJQsqaUBKTNV-12" edge="1">
+          <mxGeometry x="-0.0769" y="20" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-10" value="Is DEOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry y="390" width="100" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-11" value="Handle &lt;span&gt;&#39;Packet&#39;&lt;/span&gt;, &lt;span&gt;&#39;Stream&#39;&lt;/span&gt;, &#39;&lt;span&gt;AppLayer&#39;&lt;/span&gt; and &lt;span&gt;&#39;AppLayer Transaction&#39;&lt;/span&gt; rule types" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="163.5" y="375" width="191" height="110" as="geometry" />
+        </mxCell>
+        <mxCell id="WIyWlLk6GJQsqaUBKTNV-12" value="&lt;span&gt;Decoder Events Only&lt;/span&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="-30" y="535" width="160" height="55" as="geometry" />
+        </mxCell>
+        <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-0" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="3Z0NyFf9CSu-jNyiQ6yW-1" target="3Z0NyFf9CSu-jNyiQ6yW-2" edge="1">
+          <mxGeometry x="-0.0769" y="20" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="3Z0NyFf9CSu-jNyiQ6yW-1" target="WIyWlLk6GJQsqaUBKTNV-6" edge="1">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-4" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="3Z0NyFf9CSu-jNyiQ6yW-3" vertex="1" connectable="0">
+          <mxGeometry x="-0.1667" relative="1" as="geometry">
+            <mxPoint y="-20" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-1" value="Is IPDOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="-340" y="390" width="100" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-2" value="&lt;span&gt;Protocol Detection Only&lt;/span&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="-370" y="535" width="160" height="65" as="geometry" />
+        </mxCell>
+        <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-10" value="&lt;div&gt;&lt;span&gt;Like IP Only&lt;/span&gt;&lt;br&gt;(has negated address(es))&lt;br&gt;&lt;/div&gt;" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="183.5" y="260" width="151" height="70" as="geometry" />
+        </mxCell>
+        <mxCell id="2s8PCpyst4B-AYq6nZVi-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="2s8PCpyst4B-AYq6nZVi-2" target="3Z0NyFf9CSu-jNyiQ6yW-10" edge="1">
+          <mxGeometry relative="1" as="geometry">
+            <Array as="points" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="2s8PCpyst4B-AYq6nZVi-4" value="&lt;div&gt;Yes&lt;br&gt;&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="2s8PCpyst4B-AYq6nZVi-3" vertex="1" connectable="0">
+          <mxGeometry x="-0.4" relative="1" as="geometry">
+            <mxPoint y="-20" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="2s8PCpyst4B-AYq6nZVi-2" value="&lt;div&gt;Contains&lt;/div&gt;&lt;div&gt;Negated&lt;/div&gt;&lt;div&gt;Address?&lt;/div&gt;" style="rhombus;html=1;fontSize=16;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+          <mxGeometry x="-190" y="240" width="140" height="110" as="geometry" />
+        </mxCell>
+        <mxCell id="YKtqplUdx_BT4Hee0G-G-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;shadow=1;fontStyle=0" edge="1" parent="WIyWlLk6GJQsqaUBKTNV-1" source="YKtqplUdx_BT4Hee0G-G-0" target="3Z0NyFf9CSu-jNyiQ6yW-1">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="YKtqplUdx_BT4Hee0G-G-0" value="Signature" style="shape=parallelogram;html=1;strokeWidth=1;perimeter=parallelogramPerimeter;whiteSpace=wrap;rounded=1;arcSize=12;size=0.23;fontSize=16;shadow=1;fontStyle=0" vertex="1" parent="WIyWlLk6GJQsqaUBKTNV-1">
+          <mxGeometry x="-345" y="230" width="110" height="60" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>