Filter
Top Products
70 Writing Rules
When a packet is stored in either Temporary Memory or Match Memory, a pointer to the previously stored
packet in the same flow (contained in a portion of the flow register C
f
) is also stored. Thus a packet stored
in Match Memory may reference another packet stored in Temporary Memory, which in turn may
reference more packets, thus forming a linked list of partial matches, starting with a packet stored in Match
Memory.
The values for r
i
have the following meanings:
1: store the packet in Temporary Memory
2: store the packet in Match Memory and notify host software
Note: If the Hash key option is selected, the R=2 flag no longer causes the packet to be stored in
Temporary Memory.
Stateful Rule Examples
Table 20 Stateful Matching Signatures
Signature 1: alert on c0 tcp any any -> any any (msg:
"SYN"; flags:S; S:1; R:0; C:3;)
Signature 2: alert on c0 tcp any any -> any any (msg:
"ack"; flags:A+; S:2; R:1; C:4;)
Signature 3: alert on c0 tcp any any -> any any (msg:
"ack"; flags:A+; S:4; R:2; C:4;)
Signature 4: alert on c0 tcp any any -> any any (msg:
"frag"; dsize: 0 <> 100; S:1; R:1; C:9;)
Signature 5: alert on c0 tcp any any -> any any (msg:
"frag"; dsize: 0 <> 100; S:8; R:1; C:16;)
Signature 6: alert on c0 tcp any any -> any any (msg:
"frag"; dsize: 0 <> 100; S:16; R:2; C:16;)
In Table 20:
• Signature 1 matches any TCP SYN packet, erasing any expired C
f
register; if this signatures triggers -
meaning a SYN is present — it sets bits 0 and 1 (value 3) in the C
f
register. The SYN packets is
discarded (R=0).
• Signature 2 triggers if Signature 1 has triggered (the C
f
register having bit 1 set) and a TCP packet
contains an ACK bit. The result for this match is that bit 2 (value 4) is set in the C
f
register. The packet
is stored in Temporary Memory (R=1).
• Signature 3 triggers if
Signature 2 has triggered (the C
f
register having bit 2 (value 4) set) and another
later TCP packet contains an ACK bit. The result for this match does not modify the existing content
of the C
f
register. The packet is stored in Match Memory, referencing the packet of Signature 2. The
DPI driver then presents to the host the packet matched by 2, followed by the packet matched by 3,
through the DPI network interface.