next up previous contents
Next: Non-Payload Detection Rule Options Up: Payload Detection Rule Options Previous: ssl_state   Contents

Payload Detection Quick Reference

Table 3.10: Payload detection rule option keywords
Keyword Description
content

The content keyword allows the user to set rules that search for specific content in the packet payload and trigger response based on that data.

rawbytes

The rawbytes keyword allows rules to look at the raw packet data, ignoring any decoding that was done by preprocessors.

depth

The depth keyword allows the rule writer to specify how far into a packet Snort should search for the specified pattern.

offset

The offset keyword allows the rule writer to specify where to start searching for a pattern within a packet.

distance

The distance keyword allows the rule writer to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.

within

The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword.

uricontent

The uricontent keyword in the Snort rule language searches the normalized request URI field.

isdataat

The isdataat keyword verifies that the payload has data at a specified location.

pcre

The pcre keyword allows rules to be written using perl compatible regular expressions.

byte_test

The byte_test keyword tests a byte field against a specific value (with operator).

byte_jump

The byte_jump keyword allows rules to read the length of a portion of data, then skip that far forward in the packet.

ftpbounce

The ftpbounce keyword detects FTP bounce attacks.

asn1

The asn1 detection plugin decodes a packet or a portion of a packet, and looks for various malicious encodings.

cvs

The cvs keyword detects invalid entry strings.

dce_iface

See the DCE/RPC 2 Preprocessor section 2.2.15.

dce_opnum

See the DCE/RPC 2 Preprocessor section 2.2.15.

dce_stub_data

See the DCE/RPC 2 Preprocessor section 2.2.15.

sip_method

See the SIP Preprocessor section 2.2.18.

sip_stat_code

See the SIP Preprocessor section 2.2.18.
sip_header

See the SIP Preprocessor section 2.2.18.
sip_body

See the SIP Preprocessor section 2.2.18.
gtp_type

See the GTP Preprocessor section 2.2.20.
gtp_info

See the GTP Preprocessor section 2.2.20.
gtp_version

See the GTP Preprocessor section 2.2.20.

next up previous contents
Next: Non-Payload Detection Rule Options Up: Payload Detection Rule Options Previous: ssl_state   Contents
Eugene Misnik 2013-05-08