Manual Chapter : Snort rule reference

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Snort rule reference

This document includes the Snort commands that are currently supported when writing Snort rules.

Snort rule overview

Protocol Anomaly Inspection supports a subset of Snort rules. See the Snort users manual for more information. Snort rules can be written as pcre (perl-compatible regular expressions). Negotiation (
!
) is not supported.

Parameters supported with content and pcre

The following parameters are supported when using the
content
and
pcre
commands. See content and pcre.
  • nocase
  • depth
  • offset
  • distance
  • within
  • http_client_body
  • http_cookie
  • http_header
  • http_method
  • http_uri
  • http_stat_code
  • http_stat_msg
  • fast_pattern

Parameters supported with byte_test

All parameters for
byte_test
are supported except
dce
and
bitmask
. See the byte_test.

Parameters supported with byte_jump

All parameters for
byte_jump
are supported except
dce
,
multiplier
,
align
,
post_offset
, and
bitmask
. See byte_jump.

Parameters supported in metadata

The following parameters are supported in
metadata
. See metadata.
  • service
  • policy balanced-ips
The following parameters are supported in
reference
. See reference.
  • url
  • cve
  • bugtraq
The following additional commands are supported.
  • msg
  • classtype
  • flow
  • rev
The following parameters are added:
  • protocol
  • accuracy
  • risk
  • systems
  • documentation
  • last_updated
  • performance_impact