I’m creating a script to check the validity of custom rules, and I implemented a check for valid rule protocols based on the list in the Suricata documentation. When I ran the script against existing rules during testing, I noticed some rules failed the protocol validation check because they contained either pkthdr or ipv6 as the protocol. For example:
alert pkthdr any any -> any any (msg:"SURICATA IPv4 packet too small"; decode-event:ipv4.pkt_too_small; classtype:protocol-command-decode; sid:2200000; rev:2;)
alert ipv6 any any -> any any (msg:"SURICATA RH Type 0"; decode-event:ipv6.rh_type_0; classtype:protocol-command-decode; sid:2200093; rev:2;)
I can see from the source code, such as suricata/decoder-events.rules at master · OISF/suricata · GitHub and suricata/detect-engine-proto.c at dff7e7d34e179fc3973bde22fcca6852ada98d24 · OISF/suricata · GitHub that pkthdr and ipv6 are valid. Should the docs include these as valid protocols?
EDIT: I’ve noticed the same issue with tls, tcp-pkt, ftp-data, and tcp-stream protocol values.
