doc/userguide: document iprep isset/isnotset

doc/userguide/rules/ip-reputation-rules.rst

@@ -29,7 +29,37 @@ Example:
 
   alert ip $HOME_NET any -> any any (msg:"IPREP internal host talking to CnC server"; flow:to_server; iprep:dst,CnC,>,30; sid:1; rev:1;)
 
-This rule will alert when a system in $HOME_NET acts as a client while communicating with any IP in the CnC category that has a reputation score set to greater than 30.
+This rule will alert when a system in ``$HOME_NET`` acts as a client while communicating with any IP in the CnC category that has a reputation score set to greater than 30.
+
+isset and isnotset
+~~~~~~~~~~~~~~~~~~
+
+``isset`` and ``isnotset`` can be used to test reputation "membership"
+
+::
+
+    iprep:<side to check>,<category>,<isset|issnotset>
+
+
+``side to check``: <any|src|dst|both>
+
+``category``: the category short name
+
+To test whether an IP is part of an iprep set at all, the ``isset`` can be used. It acts as a ``>=,0`` statement.
+
+.. container:: example-rule
+
+   drop ip $HOME_NET any -> any any (:example-rule-options:`iprep:src,known-bad-hosts,isset;` sid:1;)
+
+In this example traffic to any IP with a score in ``known-bad-hosts`` would be blocked.
+
+``isnotset`` can be used to test if an IP is not a part of the set.
+
+.. container:: example-rule
+
+   drop ip $HOME_NET any -> any any (:example-rule-options:`iprep:src,trusted-hosts,isnotset;` sid:1;)
+
+In this example traffic for a host w/o a trust score would be blocked.
 
 Compatibility with IP-only
 ~~~~~~~~~~~~~~~~~~~~~~~~~~