cancel
Showing results for 
Search instead for 
Did you mean: 
James_Affeld
F5 Employee
F5 Employee

Protocol Inspection custom rules use a subset of keywords from Snort rules syntax. The AFM Manual Snort rule reference lists things you CAN use, but during a call with a customer it came up that it would be useful to call out things you CAN'T use. I went through the items in the Payload Detection Rule Options section of the Snort manual and found the following:

Unsupported Snort Keywords

  • protected_content
  • hash
  • length
  • rawbytes
  • http_raw_cookie
  • http_raw_header
  • http_raw_uri
  • http_stat_code      #support is intended, but a validation bug prevents use
  • http_stat_msg      #support is intended, but a validation bug prevents use
  • http_encode
  • fast_pattern           #this is an allowed but ignored keyword. It is not relevant to the PI signature engine.
  • uricontent
  • urilen
  • isdataat
  • pkt_data
  • file_data
  • base64_decode
  • base64_data
  • byte_extract
  • byte_math
  • ftp_bounce
  • asn1
  • cvs
  • dce_iface
  • dce_opnum
  • dce_stub_data
  • sip_method         #see SIP family of compliance checks instead
  • sip_stat_code     #see SIP family of compliance checks instead
  • sip_header          #see SIP family of compliance checks instead
  • sip_body             #see SIP family of compliance checks instead
  • gtp_type             #see GTP family of compliance checks instead
  • gtp_info              #see GTP family of compliance checks instead
  • gtp_version        #see GTP family of compliance checks instead
  • ssl_version
  • ssl_state

For more information on using Protocol Inspection custom signatures, refer to the AFM Manual, and "Converting a Snort Rule to an AFM Protocol Inspection Custom Signature " here on DevCentral.

Version history
Last update:
‎01-Apr-2022 11:04
Updated by: