31-Mar-2022 09:00 - edited 01-Apr-2022 11:04
Protocol Inspection custom rules use a subset of keywords from Snort rules syntax. The AFM Manual Snort rule reference lists things you CAN use, but during a call with a customer it came up that it would be useful to call out things you CAN'T use. I went through the items in the Payload Detection Rule Options section of the Snort manual and found the following:
For more information on using Protocol Inspection custom signatures, refer to the AFM Manual, and "Converting a Snort Rule to an AFM Protocol Inspection Custom Signature " here on DevCentral.