My Support
  1. AskF5 Home
  2. Knowledge Center
  3. BIG-IP AFM: Network Firewall Policies and Implementations
  4. Protocol Security
  5. About protocol anomaly inspection
  6. Create protocol inspection items
  7. Snort rule reference
Manual Chapter : Snort rule reference

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Snort rule reference

This document includes the Snort commands that are currently supported when writing Snort rules.

Snort rule overview

Protocol Anomaly Inspection supports a subset of Snort rules. See the Snort users manual for more information. Snort rules can be written as pcre (perl-compatible regular expressions). Negation (
!
) is not supported.

Parameters supported with content and pcre

The following parameters are supported when using the
content
 and
pcre
 commands. See content and pcre.
  • nocase
  • depth
  • offset
  • distance
  • within
  • http_client_body
  • http_cookie
  • http_header
  • http_method
  • http_uri

Parameters supported with byte_test

All parameters for
byte_test
 are supported except
dce
 and
bitmask
. See the byte_test.

Parameters supported with byte_jump

All parameters for
byte_jump
 are supported except
dce
,
multiplier
,
align
,
post_offset
, and
bitmask
. See byte_jump.

Parameters supported in metadata

The following parameter is supported in
metadata
. See metadata.
  • service
The following parameters are supported in
reference
. See reference.
  • url
  • cve
  • bugtraq
The following additional parameters are supported.
  • Description
  • Attack Type
  • Direction
  • Revision
The following parameters are added:
  • protocol
  • accuracy
  • risk
  • systems
  • documentation
  • last_updated
  • performance_impact

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks

©2021 F5, Inc. All rights reserved.

Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information