Unsupported Snort Keywords in Protocol Inspection

Protocol Inspection custom rules use a subset of keywords from Snort rules syntax. The AFM Manual Snort rule reference lists things you CAN use, but during a call with a customer it came up that it would be useful to call out things you CAN'T use. I went through the items in the Payload Detection Rule Options section of the Snort manual and found the following:

Unsupported Snort Keywords

• protected_content
• hash
• length
• rawbytes
• http_raw_cookie
• http_raw_header
• http_raw_uri
• http_stat_code      #support is intended, but a validation bug prevents use
• http_stat_msg      #support is intended, but a validation bug prevents use
• http_encode
• fast_pattern           #this is an allowed but ignored keyword. It is not relevant to the PI signature engine.
• uricontent
• urilen
• isdataat
• pkt_data
• file_data
• base64_decode
• base64_data
• byte_extract
• byte_math
• ftp_bounce
• asn1
• cvs
• dce_iface
• dce_opnum
• dce_stub_data
• sip_method         #see SIP family of compliance checks instead
• sip_stat_code     #see SIP family of compliance checks instead
• sip_header          #see SIP family of compliance checks instead
• sip_body             #see SIP family of compliance checks instead
• gtp_type             #see GTP family of compliance checks instead
• gtp_info              #see GTP family of compliance checks instead
• gtp_version        #see GTP family of compliance checks instead
• ssl_version
• ssl_state

For more information on using Protocol Inspection custom signatures, refer to the AFM Manual, and "Converting a Snort Rule to an AFM Protocol Inspection Custom Signature " here on DevCentral.