doc/ndpi: add note about requires keyword

Suggest that rules using ndpi keywords should also test for existence of the keyword with requires.
OISF · Jan 24, 2025 · 3258704 · 3258704
1 parent 9954e18
commit 3258704
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/doc/userguide/rules/ndpi-protocol.rst b/doc/userguide/rules/ndpi-protocol.rst
@@ -15,6 +15,11 @@ Example of configuring Suricata to be compiled with nDPI support:
 
     ./configure --enable-ndpi --with-ndpi=/home/user/nDPI
 
+Note that rules using the ``ndpi-protocol`` should check if the
+``ndpi-protocol`` keyword exists with ``requires``, for example::
+
+  requires: keyword ndpi-protocol
+
 Example of suricata.yaml configuration file to load the ``ndpi`` plugin::
 
   plugins:
@@ -39,5 +44,5 @@ Here is an example of a rule matching TLS traffic on port 53:
 
 .. container:: example-rule
 
-    alert tcp any any -> any 53 (msg:"TLS traffic over DNS standard port"; ndpi-protocol:TLS; sid:1;)
+    alert tcp any any -> any 53 (msg:"TLS traffic over DNS standard port"; requires: keyword ndpi-protocol; ndpi-protocol:TLS; sid:1;)
 
diff --git a/doc/userguide/rules/ndpi-risk.rst b/doc/userguide/rules/ndpi-risk.rst
@@ -14,8 +14,13 @@ by nDPI during the packet dissection and include:
 - Malware host contacted
 - and many other...
 
-Suricata should be compiled with the nDPI support and the ``ndpi`` 
-plugin must be loaded before it can be used. 
+Suricata should be compiled with nDPI support and the ``ndpi`` plugin
+must be loaded before it can be used.
+
+Additionally, rules using the ``ndpi-risk`` keyword should check if
+the keyword exists using the ``requires`` keyword, for example::
+
+  ``requires: keyword ndpi-risk``
 
 Example of configuring Suricata to be compiled with nDPI support:
 
@@ -45,5 +50,5 @@ Here is an example of a rule matching HTTP traffic transferring a binary applica
 
 .. container:: example-rule
 
-    alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; sid:1;)
+    alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; requires: keyword ndpi-protocol, keyword ndpi-risk; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; sid:1;)