Skip to content

Detect int count 7211 v1 #13897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Detect int count 7211 v1 #13897

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7211

Describe changes:

  • fix some typo in json schema
  • Allows to match on the number of integers in case of a multi-integer

SV_BRANCH=OISF/suricata-verify#2662

@catenacyber
doc: fix enip_command name in json schema
d18fff4 
enip.command is not a keyword nor an alias
@catenacyber
detect/integers: count argument for multi-integers
ca5b5bc 
Ticket: 7211

Allows to count the number of elements, without matching on
individual elements
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline = 27696

@catenacyber catenacyber mentioned this pull request Sep 25, 2025
Draft
victorjulien
victorjulien reviewed Sep 26, 2025
View reviewed changes
doc/userguide/rules/integer-keywords.rst
without matching to a specific value.

The syntax is::
keyword: count [mode] value;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be extended (separately) to multi-buffer? dns.query: count >1;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes ! that is done in #13902 which builds on top of that PR ;-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ping @victorjulien ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien left review comments

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @victorjulien