action

Ignored. The actions associated with the triggering IPSRuleAction object are used instead.

protocol

Only the values tcp, udp or icmp are supported.

source-net

Ignored.

source-port

Syntax:

<min>
<min>:<max>
<min>:
:<max>
any

If <min> is left out, it defaults to 0. If <max> is left out it defaults to <min>, unless <min>: is supplied then <max> defaults to 65535. Only a single port range is supported, negated ranges not supported. Commonly used variables, such as $HTTP_PORTS, are not supported.

direction

Only -> is supported.

destination-net

Ignored

destination-port

This follows the same rules as source-port.

content:[!]"string |0d 0a|";

Specifies a string to look for in the packet data. Hex data can be embedded, as shown. Some characters need to be escaped, like \, ", | and ;

uricontent:[!]"string |00|";

Specifies a string to look for in the normalized HTTP URI. Hex data can be embedded, as shown. Some characters need to be escaped, like \, ", | and ;

http_uri;

Modifies the preceding content option to look in the normalized HTTP URI instead of the raw packet data.

nocase;

Modifies the preceding content or uricontent to be case insensitive.

offset:<uint>;

Modifies the preceding content specifying that the search for it should start <uint> bytes into the packet. Only positive offsets supported.

depth:<uint>;

Modifies the preceding content specifying that it will only be looked for within <uint> bytes from the start of the packet or the content's offset (see above), if set.

distance:<uint>;

Modifies the preceding content specifying that the search for it should start <uint> bytes from the point where the previous content matched. Only positive distances are supported. This defaults to zero making all contents ordered.

within:<uint>;

Modifies the preceding content limiting the number of bytes that will be searched to find it to <uint> relative to the previous content match plus distance (if specified, see above). Only positive within values supported.

dsize:[<|>]<number>;

Packet size must be less than (<), equal to, or greater than (>) number. Packet size range in the syntax: dsize:<min><><max>; is not supported. isdataat is not supported.

flowbits:set,<flag>;

Set a flag in the flow that can be tested by other signatures.

flowbits:noalert;

This signature will never trigger log/drop action. Useful together with flowbits:set,<flag>; for signatures that will match quite often and in itself is not an attack but enables other signatures that otherwise would be prone to false-positives.

flowbits:isset,<flag>;

Specifies that a certain flag must be set in the flow for this signature to match.

flow:<keywords>;

A comma separated list of groups. Only the following options are supported:

msg:"message";

Message/name included in logs.

sid:<uint>;

Signature id, included in logs.

rev:<uint>;

Signature revision, included in logs.

reference:<type>,<id>;

Example:

reference:cve,2004-0646;
reference:cve,CAN-2005-1252;reference:bugtraq,9368;
reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html;
reference:nessus,11131;reference:cve,2017-5638;

metadata:<key> <value>(, <key> <value>)*;

Key and value are separated by space and may not contain " " (space), "," or ";". Multiple key-value pairs are separated by commas.

classtype:<class name>;

Defines the type of threat that this signature detects. Example:

attempted-admin, shellcode-detect, trojan-activity,
web-application-attack, misc-attack, network-scan