Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
[ no ] bearer 3gpp apn [ case-sensitive ] operator valueoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withvalue must be an alpha and/or numeric string of 1 through 62 characters in length, and can contain punctuation characters.bearer 3gpp apn = apn12operator must be one of the following:
• !=: Does not equal
• =: Equals{ !range | range } imsi-pool imsi_pool!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofimsi-pool imsi_pool: Specifies the IMSI pool name. imsi_pool must be a string of 1 through 63 characters in length.The following command creates a rule definition to analyze user traffic for the IMSI number 9198838330912:bearer 3gpp imsi = 9198838330912[ no ] bearer 3gpp rat-type operator ratoperator must be one of the following:
• !=: does not equal
• =: equals
• geran: GSM EDGE Radio Access Network type
• utran: UMTS Terrestrial Radio Access Network type
• wlan: Wireless LAN typeThe following command creates a rule definition for analyzing user traffic for the WLAN RAT type wlan:bearer 3gpp rat-type = wlan[ no ] bearer 3gpp sgsn-address operator addressoperator must be one of the following:
• !=: does not equal
• =: equalsaddress must be an SGSN IP address expressed in standard IPv4 or IPv6 dotted decimal notation.Use this command to specify a rule definition to analyze user traffic based on IP address of SGSN node. This command replaces the bearer sgsn-address command.bearer 3gpp sgsn-address = 19.88.3.8[ no ] bearer 3gpp2 bsid [ case-sensitive ]operator bs_idoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withbs_id must be an alpha and/or numeric string of 1 through 12 characters in length, and can contain punctuation characters.The following command creates a rule definition for analyzing user traffic for a 3GPP2 BSID named bs001_xyz:bearer 3gpp2 bsid = bs001_xyz[ no ] bearer 3gpp2 service-optionoperator option_codeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: more than or equalsoption_code must be an integer from 0 through 1000.bearer 3gpp2 service-option = 1034Important: In StarOS 8.1 and later, this command is deprecated and is replaced by the bearer 3gpp apn command.
[ no ] bearer apn [ case-sensitive ]operator valueoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withvalue must be an alpha and/or numeric string of 1 through 62 characters in length, and can contain punctuation characters.bearer apn = apn12Important: In StarOS 8.1 and later, this command is deprecated and is replaced by the bearer 3gpp imsi command.
operator must be one of the following:
• !=: Does not equal
• =: Equals{ !range | range } imsi-pool imsi_pool!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofimsi-pool imsi_pool: Specifies the IMSI pool name. imsi_pool must be a string of 1 through 63 characters in length.The following command creates a rule definition to analyze user traffic for an IMSI number 9198838330912:bearer imsi = 9198838330912Important: In StarOS 8.1 and later, this command is deprecated and is replaced by the bearer 3gpp rat-type command.
[ no ] bearer rat-typeoperator ratoperator must be one of the following:
• !=: does not equal
• =: equals
• geran: GSM EDGE Radio Access Network type
• utran: UMTS Terrestrial Radio Access Network type
• wlan: Wireless LAN typeThe following command creates a rule definition for analyzing user traffic for the WLAN RAT type wlan:bearer rat-type = wlanImportant: In StarOS 8.1 and later, this command is deprecated and is replaced by the bearer 3gpp sgsn-address command.
[ no ] bearer sgsn-addressoperator addressoperator must be one of the following:
• !=: does not equal
• =: equalsaddress must be an SGSN IP address expressed in standard IPv4 or IPv6 notation.bearer sgsn-address = 19.88.3.8Important: This functionality is only available if the license for Content Access Control (P/N: 699-00-0011) has been purchased and installed.
[ no ] bearer traffic-group operator grp_numoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsgrp_num must be an integer from 1 through 255.Use this command to specify a rule definition to analyze user traffic based on the traffic group value. See the fa-ha-spi command in the HA Service Configuration Mode Commands chapter for more information.operator must be one of the following:
• !=: does not equal
• <=: lesser than equal
• =: equals
• >=: greater than equalcca quota-state = limit-reachedThis command configures the value of the redirect-indicator state of the credit control application.[ no ] cca redirect-indicator operatorindicatoroperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsindicator must be an integer from 0 through 4294967295.Important: For the RADIUS server configured with different values to return for this AVP the ECS requires rule definitions to match the different values for system to associate with Charging Actions that have different redirect URLs configured.
Following command specifies redirect indicator as 1234 for URL redirect AVP:[ no ] dns answer-name [ case-sensitive ]operator valueoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withvalue must be an alpha and/or numeric string of 1 through 255 characters in length, and can contain punctuation characters.The following command creates a rule definition for analyzing user traffic for a answer name of test:dns answer-name = test[ no ] dns any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• dns any-match = TRUE[ no ] dns previous-stateoperatordns_stateoperator must be one of the following:
• !=: does not equal
• =: equalsdns_state must be one of the following:
•
• The following command creates a rule definition for analyzing user traffic using a previous state of req-sent:dns previous-state = req-sent[ no ] dns query-name [ case-sensitive ]operator valueoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withvalue must be an alpha and/or numeric string of 1 through 255 characters in length, and can contain punctuation characters.The following command creates a rule definition for analyzing user traffic using a query name of test:dns query-name = test[ no ] dns return-codeoperator dns_responseoperator must be one of the following:
• !=: does not equal
• =: equalsdns_response must be one of the following:
•
• The following command creates a rule definition for analyzing user traffic using a DNS response of refused:dns return-code = refused[ no ] dns stateoperatordns_stateoperator must be one of the following:
• !=: does not equal
• =: equalsdns_state must be one of the following:
•
• The following command creates a rule definition for analyzing user traffic using a DNS state of req-sent:dns state = req-sent[ no ] dns tidoperatortid_valueoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalstid_value must be an integer from 1 through 65535.The following command creates a rule definition for analyzing user traffic using a DNS TID value of test:dns tid = test[ no ] email { cc | content { class | type } | from | size | subject | to } [ case-sensitive ]operator valueoperator must be one of the following except for size:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withoperator must be one of the following for size:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsThe value of the specified field. value must be an alpha and/or numeric string (allows punctuation characters) as follows:
• cc: A string of 1 through 512 characters in length
• content: A string of 1 through 128 characters in length
• from: A string of 1 through 64 characters in length
• size: A range of bytes from 1 through 4000000000 bytes
• subject: A string of 1 through 128 characters in length
• to: A string of 1 through 512 characters in lengthemail cc contains triangular@xyz.com[ no ] file-transfer any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] file-transfer chunk-numberoperator valueoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsvalue must be an integer from 1 through 65535.The following command creates a file transfer rule definition for analyzing user traffic using 150 number of chunks:[ no ] file-transfer current-chunk-lengthoperator valueoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsvalue must be an integer from 1 through 40000000.The following command creates a file transfer rule definition for analyzing user traffic using current length of chunk as 1500000 bytes:file-transfer current-chunk-length = 1500000[ no ] file-transfer declared-chunk-lengthoperator valueoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsvalue must be an integer from 1 through 40000000.The following command creates a file transfer rule definition for analyzing user traffic using declared length of chunk as 2500000 bytes:file-transfer declared-chunk-length = 2500000[ no ] file-transfer declared-file-sizeoperator sizeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssize must be an integer from 1 through 40000000.The following command creates a file transfer rule definition for analyzing user traffic using declared size of file as 2500000 bytes:file-transfer declared-file-size = 2500000[ no ] file-transfer filename [ case-sensitive ]operator sizeoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.[ no ] file-transfer previous-state operator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• init: Specifies previous state as initialization.
• request-sent: Specifies previous state as request sent.
• transfer-error: Specifies previous state as transfer error.
• transfer-ok: Specifies previous state as transfer ok.file-transfer previous-state = init[ no ] file-transfer state operator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following
• init: Specifies current state as initialization.
• request-sent: Specifies current state as request sent.
• transfer-error: Specifies current state as transfer error.
• transfer-ok: Specifies current state as transfer ok.
file-transfer state = init[ no ] file-transfer transferred-file-sizeoperator sizeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssize must be an integer from 1 through 4000000000.[ no ] ftp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] ftp client-ip-addressoperatorip_addressoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsip_address must be the client’s IP address expressed in IPv4 dotted decimal or IPv6 colon notation.The following command creates an FTP rule definition for analyzing user traffic using a client IP of 1.1.1.1:ftp client-ip = 1.1.1.1[ no ] ftp client-portoperatorportoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsport must be an integer from 1 through 65535.ftp client-port = 10[ no ] ftp command args [ case-sensitive ]operator argumentoperator must be one of the following:
• !=: does not equal
• !contains: does not contains
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withargument must be a string of 1 through 127 characters in length.ftp command args = test[ no ] ftp command idoperator command_idoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsIn StarOS 9.0 and later, command_id must be an integer from 0 through 18.In StarOS 8.3 and earlier, command_id must be an integer from 0 through 15.ftp command id = 10This command defines a rule definition to analyze and charge user traffic based on FTP command name.[ no ] ftp command name operatorcommand_nameoperator must be one of the following:
• !=: does not equal
• =: equalscommand_name must be one of the following:
• abor: Abort command
• cwd: Current working directory command
• eprt: eprt command
• epsv: epsv command
• list: List command
• mode: Transfer mode command
• pass: Password command
• pasv: Passive command
• port: Port command
• quit: Quit command
• rest: Restore command
• retr: Retry command
• stor: Store command
• stru: file structure command
• syst: system command
• type: Type command
• user: user commandftp command name = list[ no ] ftp connection-typeoperatorconnection_typeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsconnection_type must be one of the following:
• 0: unknown
• 1: control connection
• 2: data connection[ no ] ftp data-any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] ftp filename [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withSpecifies the string for this rule definition. string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.ftp filename = test[ no ] ftp pdu-lengthoperator pdu_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspdu_length must be an integer from 0 through 65535.The following command creates an FTP rule definition for analyzing user traffic using an FTP pdu length of 9647 bytes:ftp pdu-length = 9647[ no ] ftp pdu-typeoperator pdu_typeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspdu_type must be one of the following:
• 0: unknown
• 1: command
• 2: replyftp pdu-type = 0[ no ] ftp previous-state operator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• ftp previous-state = init[ no ] ftp reply codeoperator codeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscode must be an integer from 100 through 599.ftp reply code = 199[ no ] ftp server-ip-addressoperator ip_addressoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsip_address must be expressed in IPv4 decimal notation or IPv6 colon notation.ftp server-ip-address = 1.1.1.1[ no ] ftp server-portoperator portoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsport must be an integer from 1 through 65535.ftp server-port = 25[ no ] ftp session-lengthoperator session_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssession_length must be an integer from 1 through 4000000000.ftp session-length = 40000operator must be one of the following:
• !=: does not equal
• =: equalsftp state = open[ no ] ftp url [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates an FTP rule definition for analyzing user traffic using an FTP URL string of ftp://rfc.ietf.org/rfc/rfc1738.txt:ftp url = ftp://rfc.ietf.org/rfc/rfc1738.txt[ no ] ftp user [ case-sensitive ]operator ftp_useroperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withA unique name that you specify for the FTP user. ftp_user must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates an FTP rule definition for analyzing user traffic using an FTP user of user1:ftp user = user1operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withfield_name must be an alpha and/or numeric string of 1 through 31 characters in length.field_name must be an alpha and/or numeric string of 1 through 127 characters in length.operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withfield_name must be an alpha and/or numeric string of 1 through 31 characters in length.field_name must be an alpha and/or numeric string of 1 through 127 characters in length.[ no ] http any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] http content disposition [ case-sensitive ]operator content_disposoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_dispos must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http content disposition = successful[ no ] http content lengthoperator content_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscontent_length must be an integer from 1 through 4000000000.http content length = 10000[ no ] http content type [ case-sensitive ]operator content_typeoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http content type = abc100[ no ] http error operator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] http first-request-packetoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] http header-lengthoperator header_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsheader_length must be an integer from 0 through 65535.http header-length = 10000[ no ] http host [ case-sensitive ]operator host_nameoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withhost_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http host = host1[ no ] http payload-lengthoperator payload_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspayload_length must be an integer from 1 through 4000000000.The following command creates an HTTP rule definition for analyzing user traffic using an HTTP payload length of 10000 bytes:http payload-length = 10000[ no ] http pdu-lengthoperator pdu_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspdu_length must be an integer from 0 through 65535.The following command creates an HTTP rule definition for analyzing user traffic using an HTTP PDU length of 10000 bytes:http pdu-length = 10000[ no ] http previous-stateoperator previous_state
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• init: init state
• response-error: response error state
• response-ok: response ok state
• waiting-for-response: waiting for response stateThe following command creates an HTTP rule definition for analyzing user traffic using an HTTP previous state of response-ok:http previous-state = response-ok[ no ] http referer [ case-sensitive ]operator referer_nameoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withreferer_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.Use this command to specify a rule definition to analyze user traffic based on an HTTP referer name.The following command creates an HTTP rule definition for analyzing user traffic using an HTTP referer to cricket.espn.com:http referer = cricket.espn.com[ no ] http reply codeoperator reply_codeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsreply_code must be an integer from 100 through 599.http reply code = 356[ no ] http request methodoperator requestoperator must be one of the following:
• !=: does not equal
• =: equalsrequest must be one of the following requests:
•
•
•
•
•
•
•
• http request method = connect[ no ] http session-lengthoperator session_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssession_length must be an integer from 1 through 4000000000.http session-length = 200000[ no ] http stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• close: closed state
• response-error: response error state
• response-ok: response ok state
• waiting-for-response: waiting for response statehttp state = initoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalstrans_length must be an integer from 1 through 4000000000.range: Enables the range criteria for HTTP transaction length.!range: Disables the range criteria for HTTP transaction length.range_from: Specifies the start of range, in bytes, for HTTP transaction length.range_to: Specifies the end of range, in bytes, for HTTP transaction length.The following command creates an HTTP rule definition for analyzing user traffic using an HTTP transaction length of 10200 bytes:http transaction-length = 10200[ no ] http transfer-encoding [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http transfer-encoding = user1[ no ] http uri [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and it does not include the “host” portion.The following command creates an HTTP rule definition for analyzing user traffic using an HTTP URI string of http://www.somehost.com:http uri = http://www.somehost.com[ no ] http url [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and includes “host + URI” for HTTP PDUs.The following command creates an HTTP rule definition for analyzing user traffic using an HTTP URL string of http://rfc.ietf.org/rfc/rfc1738.txt:http url = http://rfc.ietf.org/rfc/rfc1738.txt[ no ] http user-agent [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http user-agent = xyz.123[ no ] http version [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http version = http4.2name must be an alpha and/or numeric string of 1 through 31 characters in length.operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates a rule definition for analyzing user traffic containing extension-header of test_field and value of test_string:http x-header test_field = test_string[ no ] icmp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] icmp codeoperator codeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscode must be an integer from 0 through 255.icmp code = 23[ no ] icmp typeoperator typeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalstype must be an integer from 0 through 255. For example, 0 for ECHO Reply, 3 for Destination Unreachable, and 5 for Redirect.icmp type = 123[ no ] icmpv6 any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• icmpv6 any-match = FALSE[ no ] icmpv6 codeoperator codeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscode must be an integer from 0 through 255.icmpv6 code = 23[ no ] icmpv6 typeoperator typeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalstype must be an integer from 0 through 255. For example, 0 for ECHO Reply, 3 for Destination Unreachable, and 5 for Redirect.icmpv6 type = 123content-id content_idcontent_id must be an integer from 1 through 65535.[ no ] imap any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] imap cc [ case-sensitive ]operatorcc_addressoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcc_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates IMAP rule definition for analyzing user traffic using recipient address triangular@xyz.com in the “cc” field of e-mail in the IMAP message:imap cc contains triangular@xyz.com[ no ] imap commandoperator commandsoperator must be one of the following:
• !=: does not equal
• =: equalscommands must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• The following command creates IMAP rule definition for analyzing user traffic using presence of close command in the IMAP message;imap command = close[ no ] imap content class [ case-sensitive ]operatorcontent_classoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_class must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates IMAP rule definition for analyzing user traffic using content class as javax.mail.internet.MimeMultipart in the “content-class” field of e-mail in the IMAP message:imap content class contains javax.mail.internet.MimeMultipart[ no ] imap content type [ case-sensitive ]operatorcontent_typeoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates IMAP rule definition for analyzing user traffic using content type TEXT/plain; charset=iso-8859-1 in the ‘content-type’ field of e-mail in the IMAP message:imap content type contains TEXT/plain; charset=iso-8859-1[ no ] imap date [ case-sensitive ]operatordateoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withdate must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates IMAP rule definition for analyzing user traffic using date Fri, 21 Nov 1997 11:00:00 -0600 in the “date” field of e-mail in the IMAP message:imap date contains Fri, 21 Nov 1997 11:00:00 -0600[ no ] imap final-replyoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• bad: final reply is invalid or bad.
• no: there is no final reply.
• ok: final reply is valid.The following command creates IMAP rule definition for analyzing user traffic using the final-reply condition value as bad for the last IMAP final-reply message:[ no ] imap from [ case-sensitive ]operatorfrom_stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withfrom_string must be an alpha and/or numeric string of 1 through 127 characters in length.imap from contains triangular[ no ] imap mail-sizeoperatormail_sizeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsmail_size must be an integer from 0 through 4000000000.The following command creates IMAP rule definition for analyzing user traffic using size of e-mail as less than or equal to 23400 bytes in the IMAP message:imap mail-size <= 23400[ no ] imap mailbox-sizeoperatormail_qtyoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsmail_qty must be an integer from 0 through 65535.imap mailbox-size <= 1024[ no ] imap message-typeoperator typeoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• command-continuation-reply: message with command-continuation-reply type.
• final-reply: message is of final reply type.
• request: there is of request type.
• untagged-reply: message of reply type, but without any tag.The following command creates IMAP rule definition for analyzing user traffic using the message type as request for the IMAP message:imap message-type = request[ no ] imap previous-stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• init: message in initialization state.
• request-sent: message in request-sent state.The following command creates IMAP rule definition for analyzing user traffic using the previous state as init of the IMAP message which was in initialization state:[ no ] imap session-lengthoperatorsession_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssession_length must be an integer from 1 through 4000000000.The following command creates IMAP rule definition for analyzing user traffic using session length as less than or equal to 4000 bytes for the IMAP session:imap session-length <= 4000[ no ] imap session-previous-stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• authenticated: session authenticated
• connected: session connected
• init: session initialized
• mailbox-selected: mailbox selectedThe following command creates IMAP rule definition for analyzing user traffic using the previous state as init of the IMAP session which was initialized:[ no ] imap session-stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• authenticated: session authenticating.
• connected: session connecting.
• logout: session logged out.
• mailbox-selected: mailbox selecting.The following command creates IMAP rule definition for analyzing user traffic using the current state as connected of the IMAP session which is in connecting state:imap session-state = connected[ no ] imap stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• request-sent: request message sent
• response-fail: request response failed
• response-ok: request response is goodThe following command creates IMAP rule definition for analyzing user traffic using the current state as response-fail of the IMAP request message when request response is failed:imap state = response-fail[ no ] imap subject [ case-sensitive ]operatorsubjectoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withsubject must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates IMAP rule definition for analyzing user traffic using occurrence of My test in the “subject” field of e-mail in the IMAP message:imap subject contains My test[ no ] imap to [ case-sensitive ]operatorsubjectoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withto must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates IMAP rule definition for analyzing user traffic using occurrence of xyz.com in the “to” field of e-mail in the IMAP message:imap to contains xyz.com[ no ] ip any-matchoperatorconditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] ip downlinkoperatorconditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• ip downlink = TRUE[ no ] ip dst-address { operator { ip_address|ip_address/mask } | { !range | range } host-pool host_pool }operator: Specifies how to logically match the IP destination address.operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsip_address: Specifies IP address of the destination node for outgoing traffic in IPv4 or IPv6 standard notation. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies IP address of the destination node for outgoing traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool: Specifies the host pool name. host_pool must be a string of 1 through 63 characters in length.ip dst-address = 1.1.1.1[ no ] ip error operator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• ip error = TRUEoperator must be one of the following:
• !=: Does not equal
• <=: Less than equals—available only in StarOS 8.1 and later
• =: Equals
• >=: greater than equals—available only in StarOS 8.1 and laterprotocol_assignment must be an integer from 0 through 255.Specifies the protocol by name. protocol must be one of the following:
•
•
•
•
•
•
• ip protocol = 1[ no ] ip server-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool }operator: Specifies how to logically match the server IP address. operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsip_address: Specifies the server IP address in IPv4 or IPv6 standard notation. For uplink packets (from subscriber) this field matches the destination IP address in the IP header, and for downlink packets (to the subscriber) it matches the source IP address in IP header. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies the server IP address in IPv4 or IPv6 standard notation with subnet mask bit. For uplink packets (from subscriber) this field matches the destination IP address in the IP header, and for downlink packets (to the subscriber) it matches the source IP address in IP header. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.{ !range | range } host-pool host_pool!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool: Specifies the host pool name. host_pool must be a string of 1 through 63 characters in length.ip server-ip-address = 1.10.1.1[ no ] ip src-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool }operator: Specifies how to logically match the IP source address.operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsip_address: Specifies IP address of the source node for incoming traffic in IPv4 or IPv6 standard notation. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies IP address of the source node for incoming traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.{ !range | range } host-pool host_pool!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool: Specifies the host pool name. host_pool must be a string of 1 through 63 characters in length.ip src-address = 1.1.1.1[ no ] ip subscriber-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool }operator: Specifies how to logically match the subscriber IP address.operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsip_address: Specifies the subscriber IP address. Depending on the direction of packet this IP address will be either the IP source address or the IP destination address. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies the subscriber IP address with subnet mask bit. Depending on the direction of packet this IP address will either be the IP source address or the IP destination address. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.{ !range | range } host-pool host_pool!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool: Specifies the host pool name. host_pool must be a string of 1 through 63 characters in length.The following command creates an IP rule definition for analyzing user traffic using an IP address of 161.10.1.1 for subscriber:ip subscriber-ip-address = 161.10.1.1[ no ] ip total-lengthoperator total_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalstotal_length must be an integer from 0 through 4096.The following command creates an IP rule definition for analyzing user traffic using an IP total length of 2000 bytes:ip total-length = 2000[ no ] ip uplinkoperatorconditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• ip uplink = TRUE[ no ] ip version operator ip_versionoperator must be = (equals).Specifies the IP version. ip_version must be one of the following:
•
• The following command creates an IP rule definition to analyze user traffic for the IP version IPv6:ip version = ipv6[ no ] mms any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] mms bcc [ case-sensitive ] operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.mms bcc contains test1[ no ] mms cc [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.mms cc contains test1[ no ] mms content location [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length., and can contain punctuation characters.This command defines a rule definition to analyze and charge user traffic based on MMS content type.[ no ] mms content type [ case-sensitive ] operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.[ no ] mms downlinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• mms downlink = TRUE[ no ] mms from [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates an MMS rule definition for analyzing user traffic containing test1 in the “from” field of MMS message:mms from contains test1[ no ] mms message-id [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.mms message-id contains test1[ no ] mms pdu-typeoperator pdu_typeoperator must be one of the following:
• !=: does not equal
• =: equalspdu_type must be one of the following:The following command creates an MMS rule definition for analyzing user traffic for mms-pdu-type-m-http-get of MMS PDU:[ no ] mms previous-stateoperator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• The following command creates an MMS rule definition for analyzing user traffic using an MMS previous state of retrieval-pending:[ no ] mms response statusoperator status_codeoperator must be one of the following:
• !=: does not equal
• =: equalsstatus_code must be an integer from 128 through 136.mms response status != 129[ no ] mms stateoperatormms_stateoperator must be one of the following:
• !=: does not equal
• =: equalsmms_state must be one of the following:The following command creates an MMS rule definition for analyzing user traffic using current state of MMS message as retrieval-failed:[ no ] mms statusoperator statusoperator must be one of the following:
• !=: does not equal
• =: equalsstatus must be an integer from 128 through 132.mms status = 130[ no ] mms subject [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates an MMS rule definition for analyzing user traffic for occurrence of test1 in “subject” field of MMS message:mms subject contains test1[ no ] mms tid [ case-sensitive ]operator tid_valueoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withtid_value must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates a rule definition for analyzing user traffic using an MMS TID value of test:mms tid = test[ no ] mms to[ case-sensitive ]operator to_valueoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withto_value must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates a rule definition for analyzing user traffic using an MMS to value of test:mms to = test[ no ] mms uplinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equals
•
• mms uplink = TRUE[ no ] mms versionoperatorversionoperator must be one of the following:
• !=: does not equal
• =: equalsversion must be an integer from 1 through 65535.The following command creates a rule definition for analyzing user traffic using an MMS version of 1.0:mms version = 1.0[ no ] p2p any-match operator conditionoperator must be one of the following:
• =: equalscondition must be one of the following:
• TRUE: The rule matches any P2P traffic.
• FALSE: The rule does not match any P2P traffic.p2p any-match = TRUE[ no ] p2p protocol operator protocoloperator must be = (equals).protocol must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• Use this command to configure detection of protocols for charging purposes. For detection purposes use the p2p detection protocol in the Active Charging Service Configuration Mode.[ no ] p2p traffic-type operator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• [ no ] pop3 any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] pop3 command args [ case-sensitive ]operator argumentoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withargument must be an alpha and/or numeric string of 1 through 40 characters in length, and can contain punctuation characters.pop3 command args = test[ no ] pop3 command idoperator command_idoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscommand_id must be an integer from 1 through 12.pop3 command id = 8[ no ] pop3 command nameoperator command_nameoperator must be one of the following:
• !=: does not equal
• =: equalscommand_name must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
• pop3 command name = listoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsrange: Enables the range criteria.!range: Disables the range criteria.range_from: specifies the start of range, and must be an integer from 1 through 4000000000.range_to: Specifies the end range. range_to must be an integer from 1 through 4000000000, and must be greater than range_from.mail_size must be an integer from 1 through 4000000000.The following command defines a rule definition for analyzing POP3 user traffic using a mail size of 40000:pop3 mail-size = 40000operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsrange: Enables the range criteria.!range: Disables the range criteria.range_from: Specifies the start of range, and must be an integer from 0 through 65535.range_to: Specifies the end range. range_to must be an integer from 0 through 65535, and must be greater than range_from.pdu_length must be an integer from 0 through 65535.The following command defines a rule definition for analyzing POP3 user traffic using a PDU length of 1000 bytes:pop3 pdu-length = 1000[ no ] pop3 pdu-typeoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:The following command defines a rule definition for analyzing POP3 user traffic using a PDU type of relay-packet:[ no ] pop3 previous-stateoperator previous-stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• connected: connected state
• data transaction: data transaction state
• init: initialized state
• reply-error: reply error state
• reply-ok: response ok state
• waiting-for-reply: waiting for reply statepop3 previous-state = connected[ no ] pop3 reply args [ case-sensitive ]operator argumentoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withargument must be an alpha and/or numeric string of 1 through 512 characters in length, and can contain punctuation characters.pop3 reply args = test[ no ] pop3 reply idoperator reply_idoperator must be one of the following:
• !=: does not equal
• =: equalsreply_id must be one of the following:
• 0: Unknown reply
• 1: +OK reply
• 2: -ERR replyThe following command defines a rule definition for analyzing POP3 user traffic using a reply ID of 2:pop3 reply id = 2[ no ] pop3 reply statusoperator reply_statusoperator must be one of the following:
• !=: does not equal
• =: equalsreply_status must be one of the following:
• +OK: reply OK
• -ERR: reply errorpop3 reply status = +okoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssession_length must be an integer from 1 through 4000000000.range: Enables the range criteria for Pop3 session length.!range: Disables the range criteria for PoP3 session length.range_from: Specifies the start of range of PoP3 session length, and must be an integer from 1 through 4000000000 but less than or equal to range_to.range_to: Specifies the end of range of PoP3 session length, and must be an integer from 1 through 4000000000 but greater than or equal to range_from.pop3 session-length = 40000[ no ] pop3 stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
•
• pop3 state = close[ no ] pop3 user-name [ case-sensitive ]operator user_nameoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withuser_name must be an alpha and/or numeric string of 1 through 64 characters in length, and can contain punctuation characters.The following command defines a rule definition for analyzing POP3 user traffic using a user name of test:pop3 user-name = test[ no ] rtcp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• TRUE: The rule matches any RTCP traffic
• FALSE: The rule does not match any RTCP traffic[ no ] rtcp jitteroperator valueoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsvalue must be an integer from 0 through 4294967295.rtcp jitter >= 12954[ no ] rtcp parent-proto operator parent_protocoloperator must be one of the following:
• !=: does not equal
• =: equalsparent_protocol must be one of the following:
• rtsp: Real Time Streaming Protocol
• sip: Session Initiation Protocolrtcp parent-proto = sip[ no ] rtcp pdu-lengthoperator pdu_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsIn StarOS 8.1 and later, pdu_length must be an integer from 1 through 65535. In StarOS 8.0, pdu_length must be an integer from 1 through 2000.The following command creates a rule definition for analyzing user traffic using an RTCP PDU length of 10000 bytes:rtcp pdu-length = 10000[ no ] rtp rtsp-id [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 32 characters in length.rtcp rtsp-id contains test1[ no ] rtcp session-lengthoperator session_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsIn StarOS 8.1 and later, session_length must be an integer from 1 through 4000000000. In StarOS 8.0, session_length must be an integer from 1 through 40000000.rtcp session-length = 200000[ no ] rtcp uri [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates an RTP rule definition for analyzing user traffic using an RTCP URI string of rtsp://www.example.org:rtcp uri = rtsp://www.example.org[ no ] rtp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• rtp any-match = TRUE[ no ] rtp parent-proto operator parent_protocoloperator must be one of the following:
• !=: does not equal
• =: equalsparent_protocol must be one of the following:
• rtsp: Real Time Streaming Protocol
• sip: Session Initiation Protocol[ no ] rtp pdu-lengthoperator pdu_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsIn StarOS 8.1 and later, pdu_length must be an integer from 1 through 65535. In StarOS 8.0, pdu_length must be an integer from 1 through 2000.The following command creates an HTTP rule definition for analyzing user traffic using an RTP PDU length of 1000 bytes:rtp pdu-length = 1000[ no ] rtp rtsp-id [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 32 characters in length.rtp rtsp-id contains test1[ no ] rtp session-lengthoperator session_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsIn StarOS 8.1 and later, session_length must be an integer from 1 through 4000000000. In StarOS 8.0, session_length must be an integer from 1 through 40000000.rtp session-length = 200000[ no ] rtp uri [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and it does not include the “host” portion.The following command creates an RTP rule definition for analyzing user traffic using an RTP URI string of rtsp://www.example.org:rtp uri = rtsp://www.example.org[ no ] rtsp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• rtsp any-match = FLASE[ no ] rtsp content lengthoperator content_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscontent_length must be an integer from 0 through 65535.rtsp content length = 10000[ no ] rtsp content type [ case-sensitive ]operator content_typeoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.Use this command to specify a rule definition to analyze user traffic based on an RTSP content type.rtsp content type = abc100[ no ] rtsp date [ case-sensitive ]operator date_stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates an RTSP rule definition for analyzing user traffic using a match for date string of 12_04_2006 in RTSP message header:rtsp date = 12_04_2006[ no ] rtsp previous-stateoperator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
•
•
•
•
• rtsp previous-state = ready[ no ] rtsp reply codeoperator codeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscode must be an integer from 100 through 599.rtsp reply code = 356[ no ] rtsp request methodoperator methodoperator must be one of the following:
• !=: does not equal
• =: equalsmethod must be one of the following requests:
•
•
•
•
•
•
•
•
• rtsp request method = announce[ no ] rtsp request packetoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• TRUE: is request
• FALSE: is response[ no ] rtsp rtp-seqoperator time_stampoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsA unique name that you specify to match with the ‘seq’ field in RTP-Info header of the RTSP message.string must be an alpha and/or numeric string of 0 through 65535 characters in Normal Play Time (NPT) time format.The following command creates an RTSP rule definition for analyzing user traffic using an RTP-seq of 2348:rtsp rtp-seq = 2348[ no ] rtsp rtp-timeoperator time_stampoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsstring must be an alpha and/or numeric string of 1 through 2147483647 characters in Normal Play Time (NPT) time format.The following command creates an RTSP rule definition for analyzing user traffic using an RTP-Time-stamp of 19970123T153600Z:rtsp rtp-time = 19970123T153600Z[ no ] rtsp rtp-uri [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and it does not include the “host” portion.The following command creates an RTSP rule definition for analyzing user traffic using an RTP-URI string of rtsp://www.foo.com in RTP-info header of RTSP packet:rtsp rtp-uri = rtsp://www.foo.com[ no ] rtsp session-id [ case-sensitive ]operator session_idoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withsession_id must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates an RTSP rule definition for analyzing user traffic using an RTSP session ID of 0123abc100:rtsp session-id = 0123abc100[ no ] rtsp session-lengthoperator session_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssession_length must be an integer from 1 through 40000000.rtsp session-length = 3000[ no ] rtsp stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
•
•
•
•
•
• rtsp state = init[ no ] rtsp uri [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and it does not include the “host” portion.Use this command to specify a rule definition to analyze user traffic based on a URI in RTSP header.The following command creates an RTSP rule definition for analyzing user traffic using an RTSP URI string of rtsp://www..example.com:554/twister/audiotrack:rtsp uri = rtsp://www.example.com:554/twister/audiotrack[ no ] rtsp uri sub-part { { absolute-path | host | query } [ case-sensitive ]operator string | port {port_operator port_value | { range | !range }range_fromtorange_to} }operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and it does not include the “host” portion.Specifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsport_value must be an integer from 0 through 65535.range: Enables the range criteria for RTSP flow ports.!range: Disables the range criteria for RTSP flow ports.range_from: Specifies the start of range of RTSP flow ports and value must be an integer from 0 through 65535 but less than or equal to range_to.range_to: Specifies the end of range of RTSP flow ports and value must be an integer from 0 through 65535 but more than or equal to range_from.The following command creates an RTSP URI sub part rule definition to analyze user traffic using an RTSP URI port number between 1023 and 1068:[ no ] rtsp user-agent [ case-sensitive ]operator user_agentoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withuser_agent must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates a rule definition for analyzing user traffic using content as test in “user-agent” field of RTSP header:rtsp user-agent = testThe following command assigns a rule application of charging to the current rule definition:[ no ] sdp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• sdp any-match = TRUE[ no ] sdp connection-ip-addressoperator ip_addressoperator must be one of the following:
• !=: does not equal
• =: equalssdp connection-ip-address = 1.1.1.1[ no ] sdp media-audio-portoperatorportoperator must be one of the following:
• !=: does not equal
• =: equalsport must be an integer from 0 through 65535.sdp media-audio-port = 10[ no ] sdp media-video-portoperator portoperator must be one of the following:
• !=: does not equal
• =: equalsport must be an integer from 0 through 65535.sdp media-video-port = 10[ no ] sdp uplinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• FALSE: is not uplink
• TRUE: is uplink[ no ] secure-http any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] secure-http uplinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• FALSE: is not uplink
• TRUE: is uplink[ no ] sip any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• sip any-match = TRUE[ no ] sip call-id [ case-sensitive ]operator call-idoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcall-id must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates a rule definition for analyzing user traffic using a SIP call ID of test:sip call-id = test[ no ] sip content lengthoperator content_lengthSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscontent_length must be an integer from 0 through 65535.Use this command to specify a rule definition to analyze user traffic based on a SIP content length.sip content length = 10000[ no ] sip content type [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates a SIP rule definition for analyzing user traffic using a SIP content type as download_string:sip content type = download_string[ no ] sip from [ case-sensitive ]operator stringSpecifies how to logically match the information in the analyzed field. operator must be one of the following:operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withSpecifies the string for this rule definition. string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.sip from contains test1[ no ] sip previous-stateoperator previous_stateSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• Use this command to specify a rule definition to analyze user traffic based on a SIP previous state.The following command creates a SIP rule definition for analyzing user traffic using a SIP previous state of request-sent:sip previous-state = request-sent[ no ] sip reply codeoperator return_codeSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsreturn_code must be an integer from 100 through 699.sip reply code = 150[ no ] sip request methodoperator methodoperator must be one of the following:
• !=: does not equal
• =: equalsmethod must be one of the following:
•
•
•
•
•
• sip request method = bye[ no ] sip request packetoperator conditionSpecifies how to logically match the information in the analyzed field. operator must be one of the following:condition must be one of the following:
• FALSE: is a response
• TRUE: is a request[ no ] sip stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:The following command creates a SIP rule definition for analyzing user traffic using a SIP state of request-sent:sip state = request-sent[ no ] sip to [ case-sensitive ]operator sip_to_fieldoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withsip_to_field must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.sip to contains test1[ no ] sip uri [ sub-part { headers | host | parameters | port | userinfo } ] [ case-sensitive ]operator stringheaders: Apply the rule to SIP URI header field.host: Apply the rule the SIP URI host field.parameters: Apply the rule to the SIP URI parameters field.port: Apply the rule to the SIP URI port field.userinfo: Apply the rule to the SIP URI userinfo field.operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withThe string for sub-part keyword port must be an integer and requires different operators. Use the following operators with the port keyword:string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The string for sub-part keyword port must be an integer from 0 through 65535.[ no ] smtp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• smtp any-match = TRUE[ no ] smtp command arguments [ case-sensitive ]operator argumentoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withargument must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.smtp command arguments = test[ no ] smtp command idoperator command_idoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalscommand_id must be an integer from 0 through 10.smtp command id = 8[ no ] smtp command nameoperator command_nameoperator must be one of the following:
• !=: does not equal
• =: equalscommand_name must be one of the following:
•
•
•
•
•
•
•
•
•
• Use this command to specify a rule definition to analyze user traffic based on an SMTP command name.smtp command name = dataoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsmail_size must be an integer from 1 through 40000000.range: Enables the range criteria.!range: Disables the range criteria.range_from: Specifies the start of range, and must be an integer from 1 through 40000000.range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.The following command defines a rule definition for analyzing SMTP user traffic using a mail size of 40000:smtp mail-size = 40000operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspdu_length must be an integer from 1 through 65535.range: Enables the range criteria.!range: Disables the range criteria.range_from: Specifies the start of range, and must be an integer from 1 through 65535.range_to: Specifies the end range. range_to must be an integer from 1 through 65535, and must be greater than range_from.The following command defines a rule definition for analyzing SMTP user traffic using a PDU length of 1600 bytes:smtp pdu-length = 1600[ no ] smtp previous-stateoperator pre_stateoperator must be one of the following:
• !=: does not equal
• =: equalspre_state must be one of the following:
• close: closed state
• init: initialized state
• response-error: reply error state
• response-ok: response ok state
• waiting-for-response: waiting for response statesmtp previous-state = closed[ no ] smtp recipient [ case-sensitive ]operator argumentoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withargument must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule definition for analyzing SMTP user traffic using a recipient of test:smtp recipient = test[ no ] smtp reply arguments[ case-sensitive ]operator argumentoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withargument must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.smtp reply arguments = test[ no ] smtp reply id operator reply_idoperator must be one of the following:
• !=: does not equal
• =: equalsreply_id must be one of the following:
• 0: +NO reply
• 1: +OK reply
• 2: -ERR replyThe following command defines a rule definition for analyzing SMTP user traffic using a reply ID of 2:smtp reply id = 2[ no ] smtp reply statusoperator reply_statusoperator must be one of the following:
• !=: does not equal
• =: equalsreply_status must be one of the following:
• +OK: response OK
• -ERR: response errorUse this command to specify a rule definition to analyze user traffic based on an SMTP reply status.smtp reply status = +OK[ no ] smtp sender[ case-sensitive ]operator senderoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withsender must be an alpha/or numeric string of 1 through 127 characters in length.smtp sender = testoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssess_length must be an integer from 1 through 40000000.range: Enables the range criteria.!range: Disables the range criteria.range_from: Specifies the start of range, and must be an integer from 1 through 40000000.range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.smtp session-length = 4000000[ no ] smtp stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• close: closed state
• init: initialized state
• response-error: response of error state
• response-ok: response of ok state
• waiting-for-response: waiting for response statesmtp state = close[ no ] tcp analyzed out-of-orderoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• FALSE: not analyzed
• TRUE: analyzedtcp analyzed out-of-order = TRUE[ no ] tcp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• FALSE: not analyzed
• TRUE: analyzedtcp any-match = TRUEoperator must be one of the following:
• !=: does not equal
• =: equalstcp connection-initiator = subscriber[ no ] tcp downlinkoperatorconditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• tcp downlink = TRUE[ no ] tcp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }operator must be one of the following:
• !=: Does not equal
• <=: Less than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_mapport_map must be a string of 1 through 63 characters in length.Use this command to specify a rule definition to analyze user traffic based on destination TCP port.tcp dst-port = 10[ no ] tcp duplicateoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
• FALSE: not duplicated/retransmitted
• TRUE: duplicated/retransmittedtcp duplicate = TRUE[ no ] tcp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }operator must be one of the following:
• !=: Does not equal
• <=: Less than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_mapport_map must be a string of 1 through 63 characters in length.[ no ] tcp erroroperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] tcp flagoperator valueoperator must be one of the following:
• !contains: does not contain
• contains: contains
• !=: does not equal
• =: equalsvalue must be one of the following:
• ack: TCP FLAG ACK
• fin: TCP FLAG FIN
• push: TCP FLAG PUSH
• reset: TCP FLAG RESET
• syn: TCP FLAG SYNtcp flag = reset[ no ] tcp initial-handshake-lostoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• hex-signature hex_stringhex_string must be a dash-delimited list of hex data of size smaller than 32.string-signature stringstring must be a string of 1 through 32 characters in length.[ no ] tcp payload-lengthoperator payload_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspayload_length must be an integer from 0 through 40000000.Use this command to specify a rule definition to analyze user traffic based on a TCP payload length.tcp payload-length = 10000[ no ] tcp previous-stateoperator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
•
•
•
•
• Use this command to specify a rule definition to analyze user traffic based on a TCP previous state.tcp previous-state = time-waitoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalssess_length must be an integer from 0 through 4000000000.The following command creates a TCP rule definition for analyzing user traffic using a TCP session length of 2000 bytes:tcp session-length = 2000[ no ] tcp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }operator must be one of the following:
• !=: does not equal
• <=: Less than or equals
• =: equals
• >=: greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_mapport_map must be a string of 1 through 63 characters in length.tcp src-port = 10[ no ] tcp stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
•
•
•
•
• The following command creates a TCP rule definition for analyzing user traffic using a TCP state of close:tcp state = close[ no ] tcp uplinkoperatorconditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• tcp uplink = TRUE[ no ] udp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• udp any-match = TRUEThis command defines a rule definition to analyze and charge user traffic based on the UDP downlink.[ no ] udp downlinkoperator conditionoperator must be one of the following:
• =: equalscondition must be one of the following:
•
• udp downlink = TRUE[ no ] udp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }operator must be one of the following:
• !=: Does not equal
• <=: Less than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_mapport_map must be a string of 1 through 63 characters in length.Use this command to specify a rule definition to analyze user traffic based on destination UDP port.udp dst-port = 10[ no ] udp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }operator must be one of the following:
• !=: Does not equal
• <=: Less than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_mapport_map must be a string of 1 through 63 characters in length.udp either-port = 10hex-signature hex_stringhex_string must be a dash-delimited list of hex data of size smaller than 32.string-signature stringstring must be a string of 1 through 32 characters in length.[ no ] udp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }operator must be one of the following:
• !=: Does not equal
• <=: Less than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_mapport_map must be a string of 1 through 63 characters in length.udp src-port = 10[ no ] udp uplinkoperator conditionoperator must be one of the following:
• =: equalscondition must be one of the following:
•
• udp uplink = TRUE[ no ] wsp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wsp any-match = TRUE[ no ] wsp content type [ case-sensitive ]operator content_typeoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.wsp content type = test[ no ] wsp downlinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wsp downlink = TRUE[ no ] wsp first-request-packetoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] wsp host [ case-sensitive ]operator host_nameoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withhost_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.wsp host contains host1operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspdu_length must be an integer from 1 through 65535.The following command creates a WSP rule definition for analyzing user traffic using an WSP PDU length of 10000 bytes:wsp pdu-length = 10000[ no ] wsp pdu-typeoperator pdu_typeoperator must be one of the following:
• !=: does not equal
• =: equalspdu_type must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
• Use this command to specify a rule definition to analyze user traffic based on a WSP PDU type value.[ no ] wsp previous-stateoperator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• Use this command to specify a rule definition to analyze user traffic based on a WSP previous state.The following command creates a WSP rule definition for analyzing user traffic using a WSP previous state of response-ok:wsp previous-state = response-okSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsreturn_code must be an integer from 0 through 101.wsp reply code = 50operator must be one of the following:
• !=: does not equal
• <=: less than equals
• =: equals
• >=: greater than equalssess_length must be an integer from 1 through 65535.The following command creates a WSP rule definition for analyzing user traffic using a WSP session length of 2000 bytes:wsp session-length = 2000[ no ] wsp session-management { previous-state | state }operator stateoperator must be one of the following:
• !=: does not equal
• =: equals
•
•
•
•
• wsp session-management state = connecting[ no ] wsp stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• The following command creates a WSP rule definition for analyzing user traffic using a WSP state of connecting:wsp state = connecting[ no ] wsp tidoperator tid_valueoperator must be one of the following:
• !=: does not equal
• =: equalstid_value must be an integer from 0 through 255.The following command creates a rule definition for analyzing user traffic using a WSP TID value of 22:wsp tid = 22[ no ] wsp total-lengthoperator total_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than equals
• =: equals
• >=: greater than equalstotal_length must be an integer from 1 through 65535.Use this command to specify a rule definition to analyze user traffic based on the WSP total length.The following command creates a WSP rule definition for analyzing user traffic using an WSP total length of 2000 bytes:wsp total-length = 2000[ no ] wsp transfer-encoding [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be of 1 through 127 characters in length.wsp transfer-encoding contains 7[ no ] wsp uplink operator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wsp uplink = TRUE[ no ] wsp url [ case-sensitive ]operator urlSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withurl must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates a rule definition for analyzing user traffic using a WSP URL of wsp://wiki.tcl.tk:wsp url = wsp://wiki.tcl.tk[ no ] wsp user-agent [ case sensitive ]operator user_agentoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withuser_agent must be an alpha and/or numeric string of 1 through 127 characters in length.name must be an alpha and/or numeric string of 1 through 31 characters in length.operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates a rule definition for analyzing user traffic containing WSP extension-header of test_field and value of test_string:wsp x-header test_field = test_string[ no ] wtp any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wtp any-match = TRUE[ no ] wtp downlinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wtp downlink = TRUE[ no ] wtp gtroperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wtp gtr = TRUE[ no ] wtp pdu-typeoperator pdu_lengthoperator must be one of the following:
• !=: does not equal
• =: equalspdu_length must be an integer from 1 through 65535.The following command creates a WTP rule definition for analyzing user traffic using an WTP PDU length of 9647 bytes:ftp pdu-length = 9647[ no ] wtp pdu-typeoperator pdu_typeoperator must be one of the following:
• !=: does not equal
• =: equalspdu_type must be one of the following:
•
•
•
• Use this command to specify a rule definition to analyze user traffic based on a WTP PDU type value.[ no ] wtp previous-stateoperator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsSpecifies the WTP previous state for this rule definition. previous_state must be one of the following:
•
•
• Use this command to specify a rule definition to analyze user traffic based on a WTP previous state.wtp previous-state = ack-sent[ no ] wtp ridoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wtp rid = TRUE[ no ] wtp stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
•
•
•
• The following command creates a WTP rule definition for analyzing user traffic using a WTP state of close:wtp state = close[ no ] wtp tidoperator tid_valueoperator must be one of the following:
• !=: does not equal
• =: equalstid_value must be an integer from 0 through 65535.wtp tid = 22[ no ] wtp transaction classoperator transaction_classSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• =: equalstransaction_class must be an integer from 0 through 2.[ no ] wtp ttroperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wtp ttr = TRUE[ no ] wtp uplinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• wtp uplink = TRUE[ no ] www any-matchoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• www any-match = TRUE[ no ] www content type [ case-sensitive ]operator content_typeSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.www content type = test[ no ] www downlinkoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• www downlink = TRUE[ no ] www first-request-packetoperator conditionoperator must be one of the following:
• !=: does not equal
• =: equalscondition must be one of the following:
•
• [ no ] www header-lengthoperator header_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsheader_length must be an integer from 0 through 65535.www header-length = 10000[ no ] www host [ case-sensitive ]operator host_nameoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withhost_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command creates a WWW rule definition for analyzing user traffic using a WWW host of host1:www host = host1[ no ] www payload-lengthoperator payload_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspayload_length must be an integer from 1 through 4000000000.Use this command to specify a rule definition to analyze user traffic based on a WWW payload length.www payload-length = 10000[ no ] www pdu-lengthoperator pdu_lengthoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalspdu_length must be an integer from 0 through 65535.The following command creates an FTP rule definition for analyzing user traffic using a WWW PDU length of 9767 bytes:www pdu-length = 9767[ no ] www previous-stateoperator previous_stateoperator must be one of the following:
• !=: does not equal
• =: equalsprevious_state must be one of the following:
• Use this command to specify a rule definition to analyze user traffic based on a WWW previous state.www previous-state = init[ no ] www reply codeoperator response_codeoperator must be one of the following:
• !=: does not equal
• <=: less than or equals
• =: equals
• >=: greater than or equalsresponse must be an integer from 100 through 599.The following command defines a rule definition for analyzing WWW user traffic using a reply code of 110:www reply code = 110[ no ] www stateoperator stateoperator must be one of the following:
• !=: does not equal
• =: equalsstate must be one of the following:
• The following command creates a WWW rule definition for analyzing user traffic using a WWW state of close:www state = close[ no ] www transfer-encoding [ case-sensitive ]operator stringoperator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.www transfer-encoding = user1[ no ] www url [ case-sensitive ]operator urlSpecifies how to logically match the information in the analyzed field. operator must be one of the following:
• !=: does not equal
• !contains: does not contain
• !ends-with: does not end with
• !starts-with: does not start with
• =: equals
• contains: contains
• ends-with: ends with
• starts-with: starts withurl must be an alpha and/or numeric string of 1 through 127 characters in length.The following command creates a rule definition for analyzing user traffic using the WWW URL www.abc.com:www url = www.abc.com
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |