My Support
  1. AskF5 Home
  2. Knowledge Center
  3. BIG-IP AFM: Network Firewall Policies and Implementations
  4. Protocol Security
  5. About protocol anomaly inspection
  6. Create protocol inspection items
  7. Snort rule reference
Manual Chapter : Snort rule reference

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 16.0.0, 15.1.1, 15.1.0
Manual Chapter

Snort rule reference

This document includes the Snort commands that are currently supported when writing Snort rules.

Snort rule overview

Protocol Anomaly Inspection supports a subset of Snort rules. See the Snort users manual for more information. Snort rules can be written as pcre (perl-compatible regular expressions). Negation (
!
) is not supported.

Parameters supported with content and pcre

The following parameters are supported when using the
content
 and
pcre
 commands. See content and pcre.
  • nocase
  • depth
  • offset
  • distance
  • within
  • http_client_body
  • http_cookie
  • http_header
  • http_method
  • http_uri
  • http_stat_code
  • http_stat_msg
  • fast_pattern

Parameters supported with byte_test

All parameters for
byte_test
 are supported except
dce
 and
bitmask
. See the byte_test.

Parameters supported with byte_jump

All parameters for
byte_jump
 are supported except
dce
,
multiplier
,
align
,
post_offset
, and
bitmask
. See byte_jump.

Parameters supported in metadata

The following parameters are supported in
metadata
. See metadata.
  • service
  • policy balanced-ips
The following parameters are supported in
reference
. See reference.
  • url
  • cve
  • bugtraq
The following additional commands are supported.
  • msg
  • classtype
  • flow
  • rev
The following parameters are added:
  • protocol
  • accuracy
  • risk
  • systems
  • documentation
  • last_updated
  • performance_impact

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks

©2020 F5, Inc. All rights reserved.

Policies Privacy Trademarks