Applies To:
Show VersionsBIG-IP AFM
- 14.0.1, 14.0.0
Inspecting Protocol Anomalies
About protocol anomaly inspection
In the BIG-IP® Network Firewall, you can configure profiles to inspect traffic against protocol inspection items. Protocol inspection items are arranged in categories by the Service type. You can assign protocol inpsection items individualy or in groups. You can add a new inspection item by writing a valid Snort rule and defining matching characteristics. You can assign protocol inspection items to a firewall rule, or directly to a virtual server.
- Profile applied to a virtual server firewall rule
- Profile applied directly to a virtual server
- Profile applied to a route domain
- Profile applied to the global context
Task list
Creating a protocol inspection profile
Viewing protocol inspection items
Creating protocol inspection items
Snort rule reference
This document includes the Snort commands that are currently supported when writing Snort rules.
Snort rule overview
Protocol Anomaly Inspection supports a subset of Snort rules. See the Snort users manual for more information. Snort rules can be written as pcre (perl-compatible regular expressions). Negotiation (!) is not supported.
Parameters supported with content and pcre
The following parameters are supported when using the content and pcre commands. See content and pcre.
- nocase
- depth
- offset
- distance
- within
- http_client_body
- http_cookie
- http_header
- http_method
- http_uri
- http_stat_code
- http_stat_msg
- fast_pattern
Parameters supported with byte_test
All parameters for byte_test are supported except dce and bitmask. See the byte_test.
Parameters supported with byte_jump
All parameters for byte_jump are supported except dce, multiplier, align, post_offset, and bitmask. See byte_jump.
Parameters supported in metadata
The following parameters are supported in metadata. See metadata.
- service
- policy balanced-ips
The following parameters are supported in reference. See reference.
- url
- cve
- bugtraq
The following additional commands are supported.
- msg
- classtype
- flow
- rev
The following parameters are added:
- protocol
- accuracy
- risk
- systems
- documentation
- last_updated
- performance_impact