Manual Chapter : Snort rule reference

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Snort rule reference

This document includes the Snort commands that are currently supported when writing Snort rules.

Snort rule overview

Protocol Anomaly Inspection supports a subset of Snort rules. See the Snort users manual for more information. Snort rules can be written as pcre (perl-compatible regular expressions). Negation (
!
) is not supported.

Parameters supported with content and pcre

The following parameters are supported when using the
content
and
pcre
commands. See content and pcre.
  • nocase
  • depth
  • offset
  • distance
  • within
  • http_client_body
  • http_cookie
  • http_header
  • http_method
  • http_uri

Parameters supported with byte_test

All parameters for
byte_test
are supported except
dce
and
bitmask
. See the byte_test.

Parameters supported with byte_jump

All parameters for
byte_jump
are supported except
dce
,
multiplier
,
align
,
post_offset
, and
bitmask
. See byte_jump.

Parameters supported in metadata

The following parameter is supported in
metadata
. See metadata.
  • service
The following parameters are supported in
reference
. See reference.
  • url
  • cve
  • bugtraq
The following additional parameters are supported.
  • Description
  • Attack Type
  • Direction
  • Revision
The following parameters are added:
  • protocol
  • accuracy
  • risk
  • systems
  • documentation
  • last_updated
  • performance_impact