ACS Ruledef Configuration
Mode Commands
The ACS Ruledef
Configuration Mode is used to create and manage rule expressions
in individual rule definitions (ruledefs).
IMPORTANT:
Up to 10 rule expressions
can be configured in one ruledef.
IMPORTANT:
The commands or keywords/variables
that are available are dependent on platform type, product version,
and installed license(s).
bearer 3gpp apn
This command allows
you to define rule expressions to match Access Point Name (APN)
of the bearer flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp apn [ case-sensitive ] operator apn_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
apn_name
Specifies name of the
APN to match.
apn_name must
be an alphanumeric string of 1 through 62 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match an APN in the bearer flow.
Example:
The following command
defines a rule expression to match user traffic based on APN named
apn12:
bearer 3gpp = apn12
bearer 3gpp imsi
This command allows
you to define rule expressions to match International Mobile Station
Identification (IMSI) number in the bearer flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp imsi { operator imsi | { !range | range } imsi-pool imsi_pool_name }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
imsi
Specifies the IMSI
number to match.
!range | range
!range | range:
Specifies the range criteria:
- !range: Not
in the range of
- range: In
the range of
imsi-pool imsi_pool_name
Specifies the IMSI
pool.
imsi_pool_name must
be the name of an IMSI pool, and must be an alphanumeric string
of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match an IMSI.
Example:
The following command
defines a rule expression to analyze user traffic for the IMSI number
9198838330912:
bearer 3gpp imsi = 9198838330912
bearer 3gpp rat-type
This command allows
you to define rule expressions to match Radio Access Technology
(RAT) in the bearer flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp rat-type operator rat_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
rat_type
Specifies the RAT type
to match.
rat_type must
be one of the following:
- geran: GSM
EDGE Radio Access Network type
- utran: UMTS
Terrestrial Radio Access Network type
- wlan: Wireless
LAN type
Usage:
Use this command to
define rule expressions to match a RAT type.
Example:
The following command
defines a rule expression to match user traffic based on RAT type
wlan:
bearer 3gpp rat-type = wlan
bearer 3gpp sgsn-address
This command allows
you to define rule expressions to match SGSN address associated
in the bearer flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp sgsn-address operator ipv4/ipv6_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
ipv4/ipv6_address
Specifies the SGSN
IP address to match.
ipv4/ipv6_address must
be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
Usage:
Use this command to
define rule expressions to match IP address of an SGSN node.
This command replaces
the bearer sgsn-address command.
Example:
The following command
defines a rule expression to analyze user traffic for an SGSN node with
IP address
10.1.1.1:
bearer 3gpp sgsn-address = 10.1.1.1
bearer 3gpp2 bsid
This command allows
you to define rule expressions to match Base Station Identifier
(BSID) associated with the bearer.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp2 bsid [ case-sensitive ] [ use-group-of-objects ] operator string
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
use-group-of-objects
Specifies using a group-of-objects
as a qualifier to match this rule.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
string
Specifies the name
of a group-of-objects to match.
If the use-group-of-objects keyword
is not included in the command, string specifies
name of the matching 3GPP2 service Base Station ID (BSID) in bearer
flow.
If the use-group-of-objects keyword
is included in the command, string must
be the name of the group-of-objects to use. In this case, it is
checked if the rule is satisfied for either one or none of the objects
in the group-of-objects depending upon the operator used. For example,
if the operator is contains,
the expression would be true if any of the objects in the specified
object group is contained in the BSID. If the operator is !contains,
then the expression would be true if none of the objects in the
object group is contained in the BSID.
string must
be an alphanumeric string of 1 through 16 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match a 3GPP2 Base Station Identifier (BSID).
Example:
The following command
defines a rule expression to analyze user traffic for 3GPP2 BSID named
bs001_xyz:
bearer 3gpp2 bsid = bs001_xyz
bearer 3gpp2 service-option
This command allows
you to define rule expressions to match 3GPP2 service with service
options associated with the bearer.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp2 service-option operator service_option_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
service_option_code
Specifies the 3GPP2
service option code to match.
service_option_code must
be an integer from 0 through 1000.
Usage:
Use this command to
define rule expressions to match a 3GPP2 service’s service
option code.
Example:
The following command
defines a rule expression to analyze user traffic for a 3GPP2 service’s
service option matching
1034:
bearer 3gpp2 service-option = 1034
bearer apn
This command allows
you to define rule expressions to match the APN used for the subscriber
session.
IMPORTANT:
In 8.1 and later releases,
this command is deprecated and is replaced by the
bearer 3gpp apn command.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
apn [ case-sensitive ] operator apn_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
apn_name
Specifies the APN to
match.
apn_name must
be the name of an APN, and must be an alphanumeric string of 1 through
62 characters and may contain punctuation characters.
Usage:
Use this command to
define rule expressions to match APN used for subscriber session.
Example:
The following command
defines a rule expression to match user traffic based on APN name
apn12:
bearer apn = apn12
bearer imsi
This command allows
you to define rule expressions to match IMSI number of the subscriber.
IMPORTANT:
In 8.1 and later releases,
this command is deprecated and is replaced by the
bearer 3gpp imsi command.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
imsi { operator imsi | { !range | range } imsi-pool imsi_pool_name }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
imsi
Specifies the IMSI
number to match.
!range | range
Specifies the range
criteria:
- !range: Not
in the range of
- range: In
the range of
imsi-pool imsi_pool_name
Specifies an IMSI pool.
imsi_pool_name must
be the name of an IMSI pool, and must be an alphanumeric string
of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match IMSI number of subscriber.
Example:
The following command
defines a rule expression to match user traffic based on IMSI number
9198838330912:
bearer imsi = 9198838330912
bearer rat-type
This command allows
you to define rule expressions to match Radio Access Technology
(RAT) in the bearer flow.
IMPORTANT:
In 8.1 and later releases,
this command is deprecated and is replaced by the
bearer 3gpp rat-type command.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
rat-type operator
rat_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
rat_type
Specifies the RAT type
to match.
rat_type must
be one of the following:
- geran: GSM
EDGE Radio Access Network type
- utran: UMTS
Terrestrial Radio Access Network type
- wlan: Wireless
LAN type
Usage:
Use this command to
define rule expressions to match a RAT type.
Example:
The following command
defines a rule expression to match user traffic based on RAT type
wlan:
bearer rat-type = wlan
bearer sgsn-address
This command allows
you to define rule expressions to match IP address of the SGSN (in
acting as GGSN) / P-GW (if acting as S-GW) in the bearer
flow.
IMPORTANT:
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
sgsn-address operator
ipv4/ipv6_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
ipv4/ipv6_address
Specifies the SGSN
IP address to match.
ipv4/ipv6_address must
be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
Usage:
Use this command to
define rule expressions to match IP address of the SGSN (in acting
as GGSN) / P-GW (if acting as S-GW).
Example:
The following command
defines a rule expression to match user traffic based on SGSN node IP
address
10.1.1.1:
bearer sgsn-address = 10.1.1.1
bearer traffic-group
This command allows
you to define rule expressions to match traffic group number associated
with the subscriber session.
IMPORTANT:
This functionality
is available only if the Content Access Control license has been
installed on the chassis.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
traffic-group operator group_number
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
group_number
Specifies the traffic
group number to match.
group_number must
be an integer from 1 through 255.
Usage:
Use this command to
define rule expressions to match traffic group of the subscriber session.
See the fa-ha-spi command
in the HA Service Configuration
Mode Commands chapter for more information.
Example:
The following command
defines a rule expression to analyze all traffic groups assigned
a value greater or equal to
23:
bearer traffic-group
>= 23
cca quota-state
Specifies the quota
state of a subscriber for prepaid credit control service.
In release 12.0 and
later, this command should be used as a post-processing rule. For more
information on post-processing policy command, refer to the ACS Rulebase Configuration
Mode Commands chapter in this guide.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] cca
quota-state operator { limit-reached | lower-bandwidth }
no
Disables the configured
credit control quota state.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
limit-reached
This state matches
an affirmative end-of-quota indication for the current ruledef from
the prepay server.
lower-bandwidth
This state matches
the lower-bandwidth quota state of a rating group.
Usage:
This command supports
URL redirection and creates a rule for subscriber prepaid quota state
as exhausted or not exhausted.
If a subscriber has
exhausted the quota but has not exhausted the qualified period,
a different charging-action can be applied via the cca quota-state command.
Example:
The following command
defines a rule expression to match user traffic based on the Credit-Control
Application (CCA) quota state
limit-reached:
cca quota-state = limit-reached
cca redirect-indicator
This command allows
you to define rule expressions to match redirect-indicator state
of the Credit Control Application.
In release 12.0 and
later, this command should be used as a post-processing rule. For
more information on post-processing policy command, refer to ACS Rulebase Configuration
Mode Commands chapter in this reference.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] cca
redirect-indicator operator redirect_indicator
no
Disables the configured
CCA redirect-indicator in the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
redirect_indicator
Specifies the redirect
indicator for the AVP used for redirection of the URL in the RADIUS dictionary
for prepaid service. It must be an integer from 0 through 4294967295.
IMPORTANT:
For the RADIUS server
configured with different values to return for this AVP, the ACS requires
ruledefs to match the different values for system to associate with
charging actions that have different redirect URLs configured.
Usage:
This command is used
to configure an AVP to be used from a dictionary that defines the AVP
for the redirect-indicator.
For example, a RADIUS
dictionary specifies the 3gpp2-release-indicator to be used for
the redirect indicator when RADIUS is used as the Credit-Control
Application. In this case, the value for 3gpp2-release-indicator
that is returned by the RADIUS prepaid server for a quota request
for a given content ID is retained by system and associated with
the flow.
Example:
The following command
defines a rule expression to match redirect indicator
1234 for
the URL Redirect AVP:
cca redirect-indicator = 1234
copy-packet-to-log
This command allows
you to print every packet that hits the current ruledef to a log
statement.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] copy-packet-to-log
no
Disables the copy-packet-to-log
feature.
copy-packet-to-log
Specifies to print
packets hitting the current ruledef to a log.
Usage:
Use this command to
print every packet that hits a ruledef to a log statement. This facilitates
debugging.
dns answer-name
This command allows
you to define rule expressions to match answer name in the answer
section of DNS response messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns
answer-name [ case-sensitive ] operator value
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the rule
expression be case-sensitive. By default, rule expressions are not
case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
value
Specifies the value
to match.
value must
be an alphanumeric string of 1 through 255 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match an answer name from the answer section
of DNS response messages.
The answer section
of a DNS response may contain more than one answer. A maximum of seven
answers from the response packet are parsed. For the equality expressions
(=, contains, starts-with, ends-with) a match is sought
from any of the answers in the packet (up to the first seven answers).
For the inequality expressions (!=, !contains, !starts-with,
!ends-with), a non-match is sought from all answers (up to the first
seven answers).
Example:
The following command
defines a rule expression to match user traffic for answer name
test:
dns answer-name = test
dns any-match
This command allows
you to define rule expressions to match all DNS packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define an any-match rule expression to match all DNS packets.
Example:
The following command
defines an any-match rule expression to match all DNS packets:
dns any-match = TRUE
dns previous-state
This command allows
you to define rule expressions to match previous state of the DNS
FSM.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns
previous-state operator dns_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
dns_previous_state
Specifies the previous
state to match.
dns_previous_state must
be one of the following:
- dns-timeout
- init
- req-sent
- resp-error
- resp-success
Usage:
Use this command to
define rule expressions to match previous state of DNS FSM.
Example:
The following command
defines a rule expression to match the DNS FSM previous state
req-sent:
dns previous-state = req-sent
dns query-name
This command allows
you to define rule expressions to match query name in DNS request
messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns
query-name [ case-sensitive ] operator query_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
query_name
Specifies the query
name to match.
query_name must
be an alphanumeric string of 1 through 255 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match query name in DNS request messages.
Example:
The following command
defines a rule expression to match DNS query name
test:
dns query-name = test
dns return-code
This command allows
you to define rule expressions to match response code in DNS response
messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns
return-code operator return_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
return_code
Specifies the response
code to match.
return_code must
be one of the following:
- format-error
- name-error
- no-error
- not-implemented
- refused
- server-failure
Usage:
Use this command to
define rule expressions to match response code in DNS response messages.
Example:
The following command
defines a rule expression to match a DNS response code
refused:
dns return-code = refused
dns state
This command allows
you to define rule expressions to match current state of DNS FSM.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns
state operator dns_current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
dns_current_state
Specifies the current
state to match.
dns_current_state must
be one of the following:
- dns-timeout
- init
- req-sent
- resp-error
- resp-success
Usage:
Use this command to
define rule expressions to match DNS FSM current state.
Example:
The following command
defines a rule expression to match DNS FSM current state of
req-sent:
dns state = req-sent
dns tid
This command allows
you to define rule expressions to match Transaction Identifier (TID)
field in DNS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] dns
tid operator tid_value
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
tid_value
Specifies the DNS transaction
identifier to match.
tid_value must
be an integer from 1 through 65535.
Usage:
Use this command to
define rule expressions to match a TID field of DNS messages.
Example:
The following command
defines a rule expression to match DNS TID field value of
test:
dns tid = test
email
This command allows
you to define rule expressions to match generic e-mail message parameters.
These expressions will be applicable for IMAP, MMS, POP3, and SMTP protocols.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] email { cc | content { class | type } | from | size | subject | to } [ case-sensitive ] operator value
no
If previously configured,
deletes the specified rule expression from the current ruledef.
cc
Specifies to match
the “cc” field of standard e-mail message.
content { class | type }
Specifies to match
the “content-type” or “content-class” field
of standard e-mail message.
from
Specifies to match
the “from” field of standard e-mail message.
subject
Specifies to match
the “subject” field of standard e-mail message.
to
Specifies to match
the “to” field of standard e-mail message.
size
Specifies to match
with the total size of e-mail message specified in bytes.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following except for size:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
operator must
be one of the following for size:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
value
Specifies the value
to match.
value must
be an alphanumeric string and can contain punctuation characters.
- cc: A string
of 1 through 512 characters
- content:
A string of 1 through 128 characters
- from: A string
of 1 through 64 characters
- size: A range
of bytes from 1 through 4000000000 bytes
- subject:
A string of 1 through 128 characters
- to: A string
of 1 through 512 characters
Usage:
Use this command to
define rule expressions to match different fields/parameters
within standard e-mail messages.
Example:
The following command
defines a rule expression to analyze user traffic for the occurrence of
triangle in
the “cc” field of e-mail messages:
email cc contains triangle@xyz.com
end
Exits the current
configuration mode and returns to the Exec mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the Exec mode.
exit
Exits the current
mode and returns to the parent configuration mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the parent configuration mode.
file-transfer any-match
This command allows
you to define rule expressions to match all file-transfer packets.
This expression applies to file transfers that use the FTP or HTTP protocols.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all file-transfer packets. This expression
applies to file transfers that use the FTP or HTTP protocols.
Example:
The following command
defines a rule expression to match all file-transfer packets:
file-transfer any-match = TRUE
file-transfer chunk-number
This command allows
you to define rule expressions to match the total number of chunks
in an HTTP file as determined by the File Transfer analyzer.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
chunk-number operator chunks_number
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
chunks_number
Specifies the number
of chunks to match.
chunks_number must
be an integer from 1 through 65535.
Usage:
Use this command to
define rule expressions to match the total number of chunks in an HTTP
file as determined by the File Transfer analyzer.
Example:
The following command
defines a rule expression to match
150 number
of chunks:
file-transfer chunk-number = 150
file-transfer current-chunk-length
This command allows
you to define rule expressions to match the length of an HTTP chunk
currently in the File Transfer analyzer.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
current-chunk-length operator current_chunk_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
current_chunk_length
Specifies the current
chunk length value (in bytes) to match.
current_chunk_length must
be an integer from 1 through 40000000.
Usage:
Use this command to
define rule expressions to match the length of an HTTP chunk currently
in the File Transfer analyzer.
Example:
The following command
defines a rule expression to match length of current HTTP chunk
as
1500000 bytes:
file-transfer current-chunk-length = 1500000
file-transfer declared-chunk-length
This command allows
you to define rule expressions to match the declared length of an
HTTP chunk currently in the File Transfer analyzer.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
declared-chunk-length operator declared_chunk_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
declared_chunk_length
Specifies the declared
chunk length value (in bytes) to match.
declared_chunk_length must
be an integer from 1 through 40000000.
Usage:
Use this command to
define rule expressions to match the declared length of an HTTP chunk
currently in the File Transfer analyzer.
Example:
The following command
defines a rule expression to match declared length of the current HTTP
chunk as
2500000 bytes:
file-transfer declared-chunk-length = 2500000
file-transfer declared-file-size
This command allows
you to define rule expressions to match the declared file size by
the File Transfer analyzer decoding the FTP handshake.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
declared-file-size operator declared_file_size
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
declared_file_size
Specifies the declared
file size (in bytes) to match.
declared_file_size must
be an integer from 1 through 40000000.
Usage:
Use this command to
define rule expressions to match the declared file size by the File Transfer
analyzer decoding the FTP handshake.
Example:
The following command
defines a rule expression to match declared file size as
2500000 bytes:
file-transfer declared-file-size = 2500000
file-transfer filename
This command allows
you to define rule expressions to match file name.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
filename [ case-sensitive ] operator file_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
file_name
Specifies the file
name to match.
file_name must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match file name in file-transfer.
Example:
The following command
defines a rule expression to match file name containing
star1:
file-transfer filename
contains star1
file-transfer previous-state
This command allows
you to define rule expressions to match previous state of File Transfer
FSM.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
previous-state operator file_transfer_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
file_transfer_previous_state
Specifies the previous
state to match.
file_transfer_previous_state must
be one of the following:
- init: Specifies
previous state as initialization.
- request-sent:
Specifies previous state as request sent.
- transfer-error:
Specifies previous state as transfer error.
- transfer-ok:
Specifies previous state as transfer ok.
Usage:
Use this command to
define rule expressions to match previous state of File Transfer FSM.
Example:
The following command
defines a rule expression to match previous state of
init:
file-transfer previous-state = init
file-transfer state
This command allows
you to define rule expressions to match the current state of File
Transfer FSM.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
state operator file_transfer_current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
file_transfer_current_state
Specifies the current
state to match.
file_transfer_current_state must
be one of the following
- init: Specifies
current state as initialization.
- request-sent:
Specifies current state as request sent.
- transfer-error:
Specifies current state as transfer error.
- transfer-ok:
Specifies current state as transfer ok.
Usage:
Use this command to
define rule expressions to match current state of File Transfer FSM.
The following table
describes details of File Transfer FSM states with event:
Event |
init |
request-sent |
transfer-ok |
transfer-err |
FTP “RETR” command
or HTTP “GET” request received with chunk encoding
|
request-sent
|
Discarded
|
Discarded
|
Discarded
|
HTTP 2xx response received
|
transfer-ok
|
Discarded
|
Discarded
|
Discarded
|
HTTP 4xx or HTTP 5xx
response received
|
transfer-error
|
Discarded
|
Discarded
|
Discarded
|
FTP reply received
with reply status as file-transfer complete/successful
|
Discarded
|
transfer-ok
|
Discarded
|
Discarded
|
FTP reply received
with reply status as file-transfer unsuccessful
|
Discarded
|
transfer-error
|
Discarded
|
Discarded
|
Example:
The following command
defines a rule expression to match file-transfer current state of
init:
file-transfer state = init
file-transfer transferred-file-size
This command allows
you to define rule expressions to match the size of a file that
has been transferred so far, as detected by the File Transfer analyzer.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] file-transfer
transferred-file-size operator transferred_file_size
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
transferred_file_size
Specifies the transferred
file size (in bytes) to match.
transferred_file_size must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match the size of the file that has been transferred
so far, as detected by the File Transfer analyzer.
Example:
The following command
defines a rule expression to match file transferred size of
2500 bytes:
file-transfer transferred-file-size = 2500
ftp any-match
This command allows
you to define rule expressions to match all FTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define a rule expression to match all FTP packets.
Example:
The following command
defines a rule expression to match all FTP packets:
ftp any-match = TRUE
ftp client-ip-address
This command allows
you to define rule expressions to match IP address of the FTP client.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
client-ip-address operator ipv4/ipv6_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
ipipv4/ipv6_address
Specifies the FTP client
IP address to match.
ipv4/ipv6_address must
be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
Usage:
Use this command to
define rule expressions to match an FTP client IP address, which
will be either the IP source address or the IP destination address,
depending on the direction.
Example:
The following command
defines a rule expression to match client IP address
10.1.1.1:
ftp client-ip-address = 10.1.1.1
ftp client-port
This command allows
you to define rule expressions to match port number of the FTP client.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
client-port operator port_number
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the client
port number to match.
port_number must
be an integer from 1 through 65535.
Usage:
Use this command to
define rule expressions to match port number of the FTP client, which
will be either the TCP source port or the TCP destination port,
depending on the direction.
Example:
The following command
defines a rule expression to match FTP client port number
10:
ftp client-port = 10
ftp command args
This command allows
you to define rule expressions to match arguments within an FTP
command.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
command args [ case-sensitive ] operator argument
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
argument
Specifies the argument
to match.
argument must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match arguments within an FTP command.
Example:
The following command
defines a rule expression to match argument
ascii within
an FTP command:
ftp command args = ascii
ftp command id
This command allows
you to define rule expressions to match FTP command ID.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
command id operator command_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
command_id
Specifies the command
identifier to match.
In
8.3 and earlier releases, command_id must
be an integer from 0 through 15.
In 9.0 and later releases, command_id must
be an integer from 0 through 18.
Usage:
Use this command to
define rule expressions to match FTP command ID.
Example:
The following command
defines a rule expression to match the FTP command ID
10:
ftp command id = 10
ftp command name
This command allows
you to define rule expressions to match FTP command name.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
command name operator command_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
command_name
Specifies the command
name to match.
command_name must
be one of the following:
- abor: Abort
command
- cwd: Current
working directory command
-
eprt: eprt
command
-
epsv: epsv
command
- list: List
command
- mode: Transfer
mode command
- pass: Password
command
- pasv: Passive
command
- port: Port
command
- quit: Quit
command
- rest: Restore
command
- retr: Retry
command
- stor: Store
command
- stru: File
structure command
- syst: System
command
- type: Type
command
- user: User
command
Usage:
Use this command to
define rule expressions to match FTP command name.
Example:
The following command
defines a rule expression to match FTP command name
list:
ftp command name = list
ftp connection-type
This command allows
you to define rule expressions to match FTP connection type.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
connection-type operator connection_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
connection_type
Specifies the connection
type to match.
connection_type must
be one of the following:
- 0: Unknown
- 1: Control
connection
- 2: Data connection
Usage:
Use this command to
define rule expressions to match an FTP connection type.
Example:
The following command
defines a rule expression to match FTP connection type
1:
ftp connection-type = 1
ftp data-any-match
This command allows
you to define rule expressions to match all FTP data packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
data-any-match operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all FTP data packets.
Example:
The following command
defines a rule expression to match all FTP data packets:
ftp data-any-match = TRUE
ftp filename
This command allows
you to define rule expressions to match FTP file name.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
filename [ case-sensitive ] operator file_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
file_name
Specifies the file
name to match.
file_name must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match an FTP file name.
Example:
The following command
defines a rule expression to match a file named
testtransfer:
ftp filename = testtransfer
ftp pdu-length
This command allows
you to define rule expressions to match the length of a current
FTP packet.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
pdu-length operator pdu_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_length
Specifies the FTP PDU
length (in bytes) to match.
pdu_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match the length of a current FTP packet, that
is, FTP PDU length (FTP header + FTP payload).
Example:
The following command
defines a rule expression to match an FTP PDU length of
9647 bytes:
ftp pdu-length = 9647
ftp pdu-type
This command allows
you to define rule expressions to match FTP Protocol Data Unit (PDU)
type.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
pdu-type operator
pdu_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_type
Specifies the PDU type
to match.
pdu_type must
be one of the following:
- 0: Unknown
- 1: Command
- 2: Reply
Usage:
Use this command to
define rule expressions to match a PDU type of FTP packet.
Example:
The following command
defines a rule expression to match FTP PDU type
1:
ftp pdu-type = 1
ftp previous-state
This command allows
you to define rule expressions to match previous state of FTP session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
previous-state operator ftp_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
ftp_previous_state
Specifies the previous
state to match.
ftp_previous_state must
be one of the following:
- command-sent
- init
- response-error
- response-ok
Usage:
Use this command to
define rule expressions to match a previous state of FTP session.
Example:
The following command
defines a rule expression to match previous FTP state
init:
ftp previous-state = init
ftp reply code
This command allows
you to define rule expressions to match FTP reply code.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
reply code operator reply_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
reply_code
Specifies the FTP reply
code to match.
reply_code must
be an integer from 100 through 599.
Usage:
Use this command to
define rule expressions to match an FTP reply code.
Example:
The following command
defines a rule expression to match FTP reply code
150:
ftp reply code = 150
ftp server-ip-address
This command allows
you to define rule expressions to match FTP server IP address.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
server-ip-address operator ipv4/ipv6_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
ipv4/ipv6_address
Specifies IP address
of the server to match
ipv4/ipv6_address must
be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
Usage:
Use this command to
define rule expressions to match an FTP server IP address, which will
be either the IP source address or the IP destination address, depending
on the direction.
Example:
The following command
defines a rule expression to match the FTP server IP address
10.1.1.1:
ftp server-ip-address = 10.1.1.1
ftp server-port
This command allows
you to define rule expressions to match FTP server port number.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
server-port operator
port
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port
Specifies the FTP server
port number to match.
port must
be an integer from 1 through 65535.
Usage:
Use this command to
define rule expressions to match an FTP server port number, which will
be either the TCP source port or the TCP destination port, depending
on the direction.
Example:
The following command
defines a rule expression to analyze user traffic for FTP server
port
21:
ftp server-port = 21
ftp session-length
This command allows
you to define rule expressions to match the total number of bytes
sent on an FTP control connection.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the FTP session
length (in bytes) to match.
session_length must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match the total number of bytes sent
on an FTP control connection.
Example:
The following command
defines a rule expression to match FTP session length of
40000 bytes:
ftp session-length = 40000
ftp state
This command allows
you to define rule expressions to match the current state of an
FTP session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
state operator ftp_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
ftp_state
Specifies the FTP state
to match.
ftp_state must
be one of the following:
- close: FTP
transmissions that are in closed state.
- command-sent:
FTP transmissions that are in command-sent state.
- response-error:
FTP transmissions that are in response-error state.
- response-ok:
FTP transmissions that are in response-ok state.
Usage:
Use this command to
define rule expressions to match the current state of an FTP session.
Example:
The following command
defines a rule expression to match FTP current state
close:
ftp state = close
ftp url
This command allows
you to define rule expressions to match the FTP URL/path of
a file being transferred.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
url [ case-sensitive ] operator url
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
url
Specifies the URL to
match.
url must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the FTP URL/path of a
file being transferred.
Example:
The following command
defines a rule expression to match the URL
ftp://rfc.ietf.org/rfc/rfc1738.txt:
ftp url = ftp://rfc.ietf.org/rfc/rfc1738.txt
ftp user
This command allows
you to define rule expressions to match the user name FTP command
packet.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ftp
user [ case-sensitive ] operator ftp_user
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
ftp_user
Specifies the FTP user
name to match.
ftp_user must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match a user name FTP command.
Example:
The following command
defines a rule expression to match FTP user name
user1:
ftp user = user1
http any-match
This command allows
you to define rule expressions to match all HTTP and HTTPS Connect
Method packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all HTTP packets.
Example:
The following command
defines a rule expression to match all HTTP packets:
http any-match = TRUE
http attribute-in-data
This command allows
you to define rule expressions to match any arbitrary attribute
in the payload following the HTTP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
attribute-in-data attribute [ case-sensitive ] operator value
no
If previously configured,
deletes the specified rule expression from the current ruledef.
attribute
attribute must
be an alphanumeric string of 1 through 31 characters.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
value
Specifies the value
as an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match arbitrary attribute in the payload following
the HTTP headers.
http attribute-in-url
This command allows
you to define rule expressions to match arbitrary attribute in the
combined Host+URI HTTP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
attribute-in-url attribute [ case-sensitive ] operator value
no
If previously configured,
deletes the specified rule expression from the current ruledef.
attribute
attribute must
be an alphanumeric string of 1 through 31 characters.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
value
Specifies the value
as an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
configure rule expression to match an arbitrary attribute in the combined
Host+URI HTTP headers.
http content disposition
This command allows
you to define rule expressions to match optional content-disposition
field of HTTP entity header.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
content disposition [ case-sensitive ] operator content_disposition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_disposition
This field offers a
mechanism for the sender to transmit presentational information
to the recipient, allowing each component of a message to be tagged
with an indication of its desired presentation semantics.
content_disposition must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match optional content-disposition field
of HTTP entity header. This feature supports RFC 2616 for HTTP and
RFC 1806 for Content Disposition.
Example:
The following command
defines a rule expression to match content disposition
successful:
http content disposition = successful
http content length
This command allows
you to define rule expressions to match the value in HTTP Content-Length
entity-header field.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
content length operator content_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
content_length
Specifies the HTTP
body length (in bytes) to match.
content_length must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match value in HTTP Content-Length entity-header
field.
Example:
The following command
defines a rule expression to match value of
10000 bytes
in HTTP Content-Length entity-header field:
http content length = 10000
http content type
This command allows
you to define rule expressions to match value in HTTP Content-Type
entity-header field.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
content type [ case-sensitive ] operator content_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_type
Specifies the content
type to match.
content_type must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match value in HTTP Content-Type entity-header
field.
Example:
The following command
defines a rule expression to match
abc100 in
HTTP Content-Type entity-header field:
http content type = abc100
http domain
This command allows
you to define rule expressions to match the domain portion of URIs
in HTTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
domain [ case-sensitive ] operator domain
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
domain
Specifies the domain
to match.
domain must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the domain portion of URIs in HTTP
packets.
From the URL, after
http:// (if present) is removed, everything until
the first "/" is the domain.
Example:
The following command
defines a rule expression to match user traffic based on domain name
testdomain:
http domain = testdomain
http error
This command allows
you to define rule expressions to match for errors in HTTP packets
(for example, invalid HTTP header) and errors in the HTTP analyzer
FSM (Finite State Machine) while parsing HTTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
error operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match for errors in HTTP packets and other
errors in HTTP analyzer FSM while parsing HTTP packets. For example,
FSM error, invalid header field values, ACS memory and buffer limit,
packet related errors, and so on.
ACS supports pipelining
of up to 32 HTTP requests on the same TCP connection. Pipeline overflow
requests are not analyzed. Such overflow requests are treated as
HTTP error. The billing system, based on this information, decides
to charge or not charge, or refund the subscriber accordingly.
Example:
The following command
defines a rule expression to match user traffic based on HTTP error status
of
TRUE:
http error = TRUE
http first-request-packet
This command allows
you to define rule expressions to match the GET or POST request,
if it is the first HTTP request for the subscriber's session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
first-request-packet operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match the GET or POST request, if it
is the first HTTP request for the subscriber's session.
This expression can
be connected with a charging action, so the subscriber is redirected
to a splash page for the first Web access attempted.
Example:
The following command
defines a rule expression to match first-request-packet:
http first-request-packet = TRUE
http header-length
This command allows
you to define rule expressions to match HTTP header length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
header-length operator header_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
header_length
Specifies the HTTP
header length (in bytes) to match.
header_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match the length of an HTTP header.
Example:
The following command
defines a rule expression to match an HTTP header length of
8000:
http header-length = 8000
http host
This command allows
you to define rule expressions to match value in HTTP Host request-header
field.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
host [ case-sensitive ] operator host_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
host_name
Specifies the host
name to match.
host_name must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match value in HTTP Host request-header field.
Example:
The following command
defines a rule expression to match
host1 in
HTTP Host request-header field:
http host = host1
http payload-length
This command allows
you to define rule expressions to match HTTP payload length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
payload-length operator payload_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
payload_length
Specifies the HTTP
payload (data) length (in bytes) to match.
payload_length must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match HTTP payload (data) length (pdu-length
- header-length).
Example:
The following command
defines a rule expression to match HTTP payload length of
100000 bytes:
http payload-length = 100000
http pdu-length
This command allows
you to define rule expressions to match the total length of a single
HTTP packet.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
pdu-length operator pdu_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_length
Specifies the HTTP
PDU length (in bytes) to match.
pdu_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match the total length of a single HTTP packet.
This will also match packets with partial HTTP message (due to fragmentation).
Example:
The following command
defines a rule expression to match an HTTP PDU length of
10000 bytes:
http pdu-length = 10000
http previous-state
This command allows
you to define rule expressions to match previous state of HTTP sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
previous-state operator http_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
http_previous_state
Specifies the previous
state to match.
http_previous_state must
be one of the following:
- init: Initialized
state
- response-error:
Response error state
- response-ok:
Response ok state
- waiting-for-response:
Waiting for response state
Usage:
Use this command to
define rule expressions to match a previous state of HTTP sessions.
Example:
The following command
defines a rule expression to match HTTP previous state
response-ok:
http previous-state = response-ok
http referer
This command allows
you to define rule expressions to match the value in the HTTP Referer
request-header field.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
referer [ case-sensitive ] operator referer_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
referer_name
Specifies the HTTP
referer name to match.
referer_name must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match value in HTTP Referer request-header
field.
This feature allows
an operator to collect or track all URLs visited during a particular subscriber
session. These URLs include the entire string of visited URLs, including
all referral links. This information is output in an Event Data
Record (EDR) format to support reporting or billing functions.
For example, if a subscriber
begins a mobile web session and clicks on the “Sports” link from
the home deck, and then selects ESPN and moves to an advertiser
link, the operator can capture all URLs for that entire session.
During this period ACS collects the URLs for a particular subscriber
session; collection can be limited by time duration or number of
URLs visited.
ACS generates EDRs
that contain HTTP URL and the HTTP referer fields along with other
fields.
Example:
The following command
defines a rule expression to match the HTTP referer
cricket.espn.com:
http referer = cricket.espn.com
http reply code
This command allows
you to define rule expressions to match status code associated with
HTTP response packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
reply code operator reply_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
reply_code
Specifies the HTTP
reply code to match.
reply_code must
be an integer from 100 through 599.
Usage:
Use this command to
define rule expressions to match status code associated with HTTP response
codes.
Example:
The following command
defines a rule expression to match HTTP response code
204:
http reply code = 204
http request method
This command allows
you to define rule expressions to match HTTP request method.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
request method operator request_method
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
request_method
Specifies the HTTP
request method to match.
request_method must
be one of the following:
- connect
- delete
- get
- head
- options
- post
- put
- trace
Usage:
Use this command to
define rule expressions to match an HTTP request method.
Example:
The following command
defines a rule expression to match user traffic based on HTTP request
method
connect:
http request method = connect
http session-length
This command allows
you to define rule expressions to match HTTP session length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the HTTP
total session length (in bytes) to match.
session_length must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match a total HTTP session length.
Example:
The following command
defines a rule expression to match an HTTP session length of
200000:
http session-length = 200000
http state
This command allows
you to define rule expressions to match current state of an HTTP
session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state of HTTP session to match.
current_state must
be one of the following:
- close: Closed
state
- response-error:
Response error state
- response-ok:
Response ok state
- waiting-for-response:
Waiting for response state
Usage:
Use this command to
define rule expressions to match a current state of an HTTP session.
Example:
The following command
defines a rule expression to match current state
close:
http state = close
http transaction-length
This command allows
you to define rule expressions to match HTTP transaction length
(combined length of one HTTP GET Request message and its associated
response messages).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
transaction-length { operator transaction_length | { { range | !range } range_from to range_to } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
transaction_length
Specifies the HTTP
transaction length (in bytes) to match.
transaction_length must
be an integer from 1 through 4000000000.
{ range | !range } range_from to range_to
Enables or disables
the range criteria for length of transaction.
- range: Enables
the range criteria for HTTP transaction length.
- !range: Disables
the range criteria for HTTP transaction length.
- range_from:
Specifies the start of range (in bytes) for HTTP transaction length.
- range_to:
Specifies the end of range (in bytes) for HTTP transaction length.
Usage:
Use this command to
define rule expressions to match an HTTP transaction length [one HTTP
GET Request message + associated response message(s)] in
bytes.
Example:
The following command
defines a rule expression to match an HTTP transaction length of
10200 bytes:
http transaction-length = 10200
http transfer-encoding
This command allows
you to define rule expressions to match the value in HTTP Transfer-Encoding
general-header field.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
transfer-encoding [ case-sensitive ] operator transfer_encoding
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
transfer_encoding
Specifies the HTTP
transfer encoding to match.
transfer_encoding must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the value in HTTP Transfer-Encoding
general-header field.
Example:
The following command
defines a rule expression to match the value
chunked in
HTTP Transfer-Encoding general-header field:
http transfer-encoding = chunked
http uri
This command allows
you to define rule expressions to match HTTP URI.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
uri [ case-sensitive ] operator uri
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
uri
Specifies the HTTP
URI to match.
uri must
be an alphanumeric string of 1 through 127 characters, and can contain
punctuation characters, and excludes the “host” portion.
Usage:
Use this command to
define rule expressions to match an HTTP URI, excluding the host portion.
Example:
The following command
defines a rule expression to match the HTTP URI string
http://www.somehost.com:
http uri = http://www.somehost.com
http url
This command allows
you to define rule expressions to match HTTP URL.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
url [ case-sensitive ] operator url
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
url
Specifies the HTTP
URL to match.
url must
be an alphanumeric string of 1 through 127 characters. that allows
punctuation characters and includes “host + URI” for
HTTP PDUs.
For example, in case
of the URL “http://www.google.fr/”,
the host is “http://www.google.fr”,
and the URI is “/”:
Hypertext Transfer
Protocol
GET / HTTP/1.1\r\n
Request Method:
GET
Request URI: /
Request Version:
HTTP/1.1
Accept: */*\r\n
Accept-Language:
fr\r\n
Accept-Encoding:
gzip, deflate\r\n
User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
Host: www.google.fr\r\n
Connection: Keep-Alive\r\n
\r\n
Usage:
Use this command to
define rule expressions to match HTTP URL.
Example:
The following command
defines a rule expression to match the HTTP URL
http://rfc.ietf.org/rfc/rfc1738.txt:
http url = http://rfc.ietf.org/rfc/rfc1738.txt
http user-agent
This command allows
you to define rule expressions to match the User-Agent request-header
field of HTTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
user-agent [ case-sensitive ] operator user_agent
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
user_agent
Specifies the HTTP
user agent value to match.
user_agent must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match value in HTTP user-agent header field.
Example:
The following command
defines a rule expression to match
xyz.123 in
HTTP user-agent header field:
http user-agent = xyz.123
http version
This command allows
you to define rule expressions to match version information in HTTP
headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
version [ case-sensitive ] operator http_version
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
http_version
Specifies this HTTP
version value to match.
http_version must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match HTTP version.
Example:
The following command
defines a rule expression to match HTTP version
http4.2:
http version = http4.2
http x-header
This command allows
you to define rule expressions to match specified field within extension-headers
(x-headers).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] http
x-header field_name [ case-sensitive ] operator string
no
If previously configured,
deletes the specified rule expression from the current ruledef.
field_name
field_name must
be an alphanumeric string of 1 through 31 characters.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
string
Specifies the HTTP
x-header value to match.
string must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match specified fields within x-headers. The
extension-header can be any header field not specified in RFCs.
All x-header fields
must begin with “x-”.
Example:
The following command
defines a rule expression to match the extension-header
test_field for
the value
test_string:
http x-header test_field = test_string
icmp any-match
This command allows
you to define rule expressions to match all ICMP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all ICMP packets.
Example:
The following command
defines a rule expression to match all ICMP packets:
icmp any-match = TRUE
icmp code
This command allows
you to define rule expressions to match value in the Code field
of ICMP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmp
code operator code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
code
Specifies the ICMP
code to match.
code must
be an integer from 0 through 255.
Usage:
Use this command to
define rule expressions to match a code field of ICMP packets.
Example:
The following command
defines a rule expression to match ICMP code
11:
icmp code = 11
icmp type
This command allows
you to define rule expressions to match value in Type field of ICMP
packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmp
type operator type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
type
Specifies the ICMP
type to match.
type must
be an integer from 0 through 255. For example, 0 for Echo Reply,
3 for Destination Unreachable, and 5 for Redirect.
Usage:
Use this command to
define rule expressions to match a type field of ICMP packets.
Example:
The following command
defines a rule expression to match user traffic based on ICMP type
3:
icmp type = 3
icmpv6 any-match
This command allows
you to define rule expressions to match all ICMPv6 packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmpv6
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all ICMPv6 packets.
Example:
The following command
defines a rule expression to match all ICMPv6 packets:
icmpv6 any-match = TRUE
icmpv6 code
This command allows
you to define rule expressions to match value in Code field of ICMPv6
packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmpv6
code operator
code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
code
Specifies the ICMPv6
code to match.
code must
be an integer from 0 through 255.
Usage:
Use this command to
define rule expressions to match a code field of ICMPv6 packets.
Example:
The following command
defines a rule expression to match ICMPv6 code
134:
icmpv6 code = 134
icmpv6 type
This command allows
you to define rule expressions to match type field of ICMPv6 packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmpv6
type operator
type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
type
Specifies the ICMPv6
type to match.
type must
be an integer from 0 through 255. For example, 129 for Echo Reply,
3 for Time Exceeded, and 137 for Redirect Message.
Usage:
Use this command to
define rule expressions to match type field of ICMPv6 packets.
Example:
The following command
defines a rule expression to match ICMPv6 type
133:
icmpv6 type = 133
if-protocol
This command allows
you to associate different content IDs with the same ruledef, depending
on the protocol being used.
Privilege:
Security Administrator,
Administrator
Syntax
if-protocol { http | wsp-connection-less | wsp-connection-oriented } content-id content_id
no if-protocol { http | wsp-connection-less | wsp-connection-oriented }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
http
Specifies HTTP protocol.
This is the same as
the rule expression http
any-match = true.
wsp-connection-less
Specifies WSP connection-less
protocol.
This is the same as
requiring “wsp
any-match = true” but “wtp any-match = false” (that
is, connection-less WAP1.x).
wsp-connection-oriented
Specifies WSP connection-oriented
protocol.
This is the same as
the combined rule expression “wsp any-match = true” and “wtp any-match = true” (that
is, connection-oriented WAP1.x).
content-id content_id
Specifies the content
ID for the specified protocol.
In
12.1 and earlier releases, content_id must
be an integer from 1 through 65535.
Usage:
Use this command to
associate different content IDs with the same ruledef, depending
on the protocol being used.
This command is only
effective for charging ruledefs. See the
rule-application command
for information on how to configure charging ruledefs.
If a particular ruledef
should have three different values for content-id, depending on whether
the traffic is connection-oriented WAP1.x, connection-less WAP1.x,
or WAP2.0, within the ruledef we should have configuration similar
to the following:
if-protocol wsp-connection-oriented
content-id 1
if-protocol wsp-connection-less
content-id 2
if-protocol http content-id 3
Presumably, the ruledef
would have another configurable like “www url contains foo”,
which would cause it to use different content IDs when "foo" was
accessed, depending upon the protocol being used.
Example:
The following command
associates HTTP protocol and a content ID of
23:
if-protocol http content-id
23
imap any-match
This command allows
you to define rule expressions to match all IMAP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all IMAP packets.
Example:
The following command
defines a rule expression to match all IMAP packets:
imap any-match = TRUE
imap cc
This command allows
you to define rule expressions to match recipient address in the
Carbon Copy (cc) field of e-mails in IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
cc [ case-sensitive ] operator cc_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
cc_address
Specifies the e-mail “cc” address/name
to match.
cc_address must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match recipient address in the “cc” field
of e-mails in IMAP messages.
Example:
The following command
defines a rule expression to match recipient address
triangle@xyz.com in
the “cc” field of e-mails in IMAP messages:
imap cc contains triangle@xyz.com
imap command
This command allows
you to define rule expressions to match embedded IMAP commands in
IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
command operator
command
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
command
Specifies the command
to match.
command must
be one of the following:
- append
- authenticate
- capability
- check
- close
- copy
- create
- delete
- examine
- expunge
- fetch
- list
- login
- logout
- lsub
- noop
- rename
- search
- select
- starttls
- status
- store
- subscribe
- uid-copy
- uid-fetch
- uid-search
- uid-store
- unsubscribe
Usage:
Use this command to
define rule expressions to match an embedded command in the IMAP
message.
Example:
The following command
defines a rule expression to match
close command
in IMAP messages:
imap command = close
imap content class
This command allows
you to define rule expressions to match the content-class field
of e-mails in IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
content class [ case-sensitive ] operator content_class
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_class
Specifies the content
class to match.
content_class must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the content-class field of e-mails
in IMAP messages.
Example:
The following command
defines a rule expression to analyze user traffic matching content class
javax.mail.internet.MimeMultipart in
the content-class field of e-mails in IMAP messages:
imap content class
contains javax.mail.internet.MimeMultipart
imap content type
This command allows
you to define rule expressions to match the content-type field of
e-mails in IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
content type [ case-sensitive ] operator content_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_type
Specifies the content
type field to match.
content_type must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the content-type field of e-mails
in IMAP messages.
Example:
The following command
defines a rule expression to analyze user traffic matching content type
TEXT/plain;
charset=iso-8859-1 in the content-type field of
e-mails in IMAP messages:
imap content type
contains TEXT/plain; charset=iso-8859-1
imap date
This command allows
you to define rule expressions to match the Date field of e-mails
in IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
date [ case-sensitive ] operator date
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
date
Specifies the date
to match.
date must
be an alphanumeric string of 1 through 127 characters that may include
punctuation marks and spaces as shown in the example below.
Usage:
Use this command to
define rule expressions to match the date field of e-mails in IMAP messages.
Example:
The following command
defines a rule expression to analyze user traffic matching date
Fri, 20 Jan 2012 11:00:00
-0600 in the “date” field of e-mails in
IMAP messages:
imap date contains
Fri, 21 Jan 2012 11:00:00 -0600
imap final-reply
This command allows
you to define rule expressions to match final-reply value for the
last IMAP final-reply message.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
final-reply operator final_reply
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
final_reply
Specifies the “final-reply” condition
to match.
final_reply must
be one of the following:
- bad: Final
reply is invalid or bad.
- no: There
is no final reply.
- ok: Final
reply is valid.
Usage:
Use this command to
define rule expressions to match a final-reply value for the last
IMAP final-reply message.
Example:
The following command
defines a rule expression to analyze user traffic matching the final-reply
condition
bad in
the last IMAP final-reply message:
imap final-reply = bad
imap from
This command allows
you to define rule expressions to match the from field of e-mails
in IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
from [ case-sensitive ] operator from_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
from_address
Specifies the “from” address/value
to match.
from_address must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the from field of e-mails in IMAP messages.
Example:
The following command
defines a rule expression to analyze user traffic matching
triangle in
the “from” field of e-mails in the IMAP messages:
imap from contains triangle
imap mail-size
This command allows
you to define rule expressions to match IMAP e-mail users that have
e-mails of a specified size in their mailboxes.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
mail-size operator mail_size
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
mail_size
Specifies the total
size of mail, in bytes, to match.
mail_size must
be an integer from 0 through 4000000000.
Usage:
Use this command to
define rule expressions to discover the number of IMAP e-mail users that
have e-mails of a specified size in their mailboxes.
Example:
The following command
defines a rule expression to match users with e-mail size less than or
equal to
23400 bytes:
imap mail-size <= 23400
imap mailbox-size
This command allows
you to define rule expressions to match IMAP e-mail user having
a specified number of messages in their mailboxes.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
mailbox-size operator number_of_email
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
number_of_email
Specifies the total
number of e-mail messages in mailbox of an IMAP user to match.
number_of_email must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match the number of IMAP e-mail users having
a specified number of messages in their mailboxes.
Example:
The following command
defines a rule expression to match e-mail users having less than
or equal to
1024 e-mail
messages in their mailboxes:
imap mailbox-size
<= 1024
imap message-type
This command allows
you to define rule expressions to match the type of IMAP packet.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
message-type operator message_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
message_type
Specifies the IMAP
packet message-type to match.
message_type must
be one of the following:
- command-continuation-reply:
Message with command-continuation-reply type.
- final-reply:
Message is of final reply type.
- request:
There is of request type.
- untagged-reply:
Message of reply type, but without any tag.
Usage:
Use this command to
define rule expressions to match the IMAP message type.
Example:
The following command
defines a rule expression to match IMAP sessions with message type
request:
imap message-type = request
imap previous-state
This command allows
you to define rule expressions to match the previous state of IMAP
request sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
previous-state operator imap_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
imap_previous_state
Specifies the previous
state to match.
imap_previous_state must
be one of the following:
- init: Message
in initialization state.
- request-sent:
Message in request-sent state.
Usage:
Use this command to
define rule expressions to match previous state of IMAP request session.
Example:
The following command
defines a rule expression to match IMAP sessions with previous state
init:
imap previous-state = init
imap session-length
This command allows
you to define rule expressions to match the total length of an IMAP
session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the total
length of IMAP session (in bytes) to match.
session_length must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match the total length of IMAP sessions.
The session length
is calculated by adding together the IP payloads (that is, starting
after the IP header) of all relevant IMAP session packets.
Example:
The following command
defines a rule expression to match IMAP sessions with length less than
or equal to
4000 bytes:
imap session-length
<= 4000
imap session-previous-state
This command allows
you to define rule expressions to match the previous state of an
IMAP session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
session-previous-state operator imap_session_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
imap_session_previous_state
Specifies the previous
state of IMAP session to match.
imap_session_previous_state must
be one of the following:
- authenticated:
Session authenticated
- connected:
Session connected
- init: Session
initialized
- mailbox-selected:
Mailbox selected
Usage:
Use this command to
define rule expressions to match the previous state of IMAP sessions.
Example:
The following command
defines a rule expression to match IMAP sessions with previous state
init:
imap session-previous-state = init
imap session-state
This command allows
you to define rule expressions to match the current state of IMAP
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
session-state operator session_current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
session_current_state
Specifies the current
state to match.
session_current_state must
be one of the following:
- authenticated:
Session authenticating.
- connected:
Session connecting.
- logout:
Session logged out.
- mailbox-selected:
Mailbox selecting.
Usage:
Use this command to
define rule expressions to match the current state of IMAP sessions.
Example:
The following command
defines a rule expression to match IMAP sessions with current state
connected:
imap session-state = connected
imap state
This command allows
you to define rule expressions to match the current state of IMAP
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies current
state of IMAP session to match.
current_state must
be one of the following:
- request-sent:
Request message sent
- response-fail:
Request response failed
- response-ok:
Request response is good
Usage:
Use this command to
define rule expressions to match the current state of IMAP session.
Example:
The following command
defines a rule expression to match IMAP sessions with current state
response-fail:
imap state = response-fail
imap subject
This command allows
you to define rule expressions to match the subject field of e-mails
in IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
subject [ case-sensitive ] operator subject
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
subject
Specifies the “subject” to
match.
subject must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters and space as shown in the example below.
Usage:
Use this command to
define rule expressions to match “subject” field
of e-mail in IMAP message.
Example:
The following command
defines rule expression to match occurrence of the string
My test in
the “subject” field of e-mails in IMAP message:
imap subject contains
My test
imap to
This command allows
you to define rule expressions to match the “to” field
of e-mails in IMAP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] imap
to [ case-sensitive ] operator to
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
to
Specifies the “to” field
value to match.
to must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match “to” field of
e-mails in IMAP messages.
Example:
The following command
defines a rule expression to analyze user traffic matching the occurrence
xyz.com in
the “to” field of e-mails in the IMAP message:
imap to contains xyz.com
ip any-match
This command allows
you to define rule expressions to match all IPv4/IPv6 packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match IPv4/IPv6 packets.
Example:
The following command
defines a rule expression to match IPv4/IPv6 packets:
ip any-match = TRUE
ip downlink
This command allows
you to define rule expressions to match downlink (network to subscriber)
packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
downlink operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match downlink (to subscriber) IP packets.
Example:
The following command
defines a rule expression to match IP packet in downlink direction:
ip downlink = TRUE
ip dst-address
This command allows
you to define rule expressions to match IP destination address field
within IP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
dst-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool_name }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }
operator:
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
ipv4/ipv6_address:
Specifies the IP address of the destination node for outgoing traffic. ipv4/ipv6_address must
be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation.
ipv4/ipv6_address/mask:
Specifies the IP address of the destination node for outgoing traffic. ipv4/ipv6_address/mask must
be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation with subnet mask bit. The mask bit is a numeric value which
corresponding to the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range:
Specifies the range criteria:
- !range:
Not in the range of
- range: In
the range of
host-pool host_pool_name: Specifies
the name of the host pool. host_pool_name must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match the IP destination address field within
IP headers.
Example:
The following command
defines a rule expression to match the IPv4 destination address
10.1.1.1:
ip dst-address = 10.1.1.1
ip error
This command allows
you to define rule expressions to match user traffic for invalid
IP packets and other errors, for example IP header error, while
parsing IP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
error operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match invalid IP packets and any other errors
while parsing IP packets.
Example:
The following command
defines a rule expression to match user traffic for invalid IP packets and
other errors:
ip error = TRUE
ip protocol
This command allows
you to define rule expressions to match the protocol field in IP
headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
protocol operator { protocol_assignment_no | protocol }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals—available only in 8.1 and later releases
- =:
Equals
- >=:
Greater than or equals—available only in 8.1 and later
releases
protocol_assignment_no
Specifies the protocol
by assignment number.
protocol_assignment_no must
be an integer from 0 through 255.
For example, 1 for
ICMP, 6 for TCP, and 17 for UDP.
protocol
Specifies the protocol
by name.
protocol must
be one of the following:
- ah
- esp
- gre
- icmp
-
icmpv6
- tcp
- udp
Usage:
Use this command to
define rule expressions to match protocol field in IP packet headers.
Example:
The following command
defines a rule expression to match protocol assignment number
1:
ip protocol = 1
ip server-ip-address
This command allows
you to define rule expressions to match the IP address of the destination
end of the connection.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
server-ip-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool_name }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }
operator:
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
ipv4/ipv6_address:
Specifies the server IP address. For uplink packets (subscriber
to network), this field matches the destination IP address in the
IP header. For downlink packets (network to subscriber), this field
matches the source IP address in the IP header.ipv4/ipv6_address must
be an IP address in IPv4 dotted-decimal notation or IPv6 colon-separated-hexadecimal
notation.
ipv4/ipv6_address/mask:
Specifies the server IP address with subnet mask bit. For uplink
packets (subscriber to network), this field matches the destination
IP address in the IP header. For downlink packets (network to subscriber),
this field matches the source IP address in the IP header. ipv4/ipv6_address/mask must
be an IP address in IPv4 dotted-decimal notation or IPv6 colon-separated-hexadecimal
notation with subnet mask bit. The mask bit is a numeric value which
is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range:
Specifies the range criteria:
- !range:
Not in the range of
- range: In
the range of
host-pool host_pool_name: Specifies
name of the host pool. host_pool_name must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match the IP address of the destination
end of the connection.
For uplink packets,
this field matches the destination IP address in the IP header.
For downlink packets, this field matches the source IP address in
the IP header.
Example:
The following command
defines a rule expression to match user traffic based on IPv4 server address
10.1.1.1:
ip server-ip-address = 10.1.1.1
ip src-address
This command allows
you to define rule expressions to match the source IP address field
within IP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
src-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool_name }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }
operator:
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
ipv4/ipv6_address:
Specifies IP address of the source node for incoming traffic. ipv4/ipv6_address must
be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation.
ipv4/ipv6_address/mask:
Specifies the IP address of the source node for incoming traffic
with subnet mask bit. ipv4/ipv6_address/mask must
be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation with subnet mask bit. The mask bit is a numeric value which
corresponds to the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range:
Specifies the range criteria:
- !range:
Not in the range of
- range: In
the range of
host-pool host_pool_name: Specifies
name of the host pool. host_pool_name must
be a string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match IP source address field within
IP header.
Example:
The following command
defines a rule expression to match user traffic based on IPv4 source address
10.1.1.1:
ip src-address = 10.1.1.1
ip subscriber-ip-address
This command allows
you to define rule expressions to match the IP address of the subscriber,
which will be either the source or destination address depending
on the direction.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
subscriber-ip-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool_name }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }
operator:
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
ipv4/ipv6_address:
Specifies the subscriber IP address. Depending on the direction
of packet this IP address will be either the IP source address or
the IP destination address. ipv4/ipv6_address must
be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation.
ipv4/ipv6_address/mask:
Specifies the subscriber IP address with subnet mask bit. Depending
on the direction of packet this IP address will either be the IP
source address or the IP destination address. ipv4/ipv6_address/mask must
be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
notation with subnet mask bit. The mask bit is a numeric value which
corresponds to the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range:
Specifies the range criteria:
- !range:
Not in the range of
- range: In
the range of
host-pool host_pool_name: Specifies
the name of the host pool. host_pool_name must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match the IP address of the subscriber, which
will be either the source or destination address depending on the direction.
Example:
The following command
defines a rule expression to match user traffic based on subscriber IPv4
address
10.1.1.1:
ip subscriber-ip-address = 10.1.1.1
ip total-length
This command allows
you to define rule expressions to match the total length field in
IP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
total-length operator total_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
total_length
Specifies the total
length of the IP packet (including payload) to match.
total_length must
be an integer from 0 through 4096.
Usage:
Use this command to
define rule expressions to match the total length field in IP headers.
Example:
The following command
defines a rule expression to match user traffic based on IP total length
of
2000 bytes:
ip total-length = 2000
ip uplink
This command allows
you to define rule expressions to match uplink (subscriber to network)
IP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
uplink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match uplink (subscriber to network)
IP packets.
Example:
The following command
defines a rule expression to match uplink packets:
ip uplink = TRUE
ip version
This command allows
you to define rule expressions to match the version number in IP
headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
version operator ip_version
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be = (equals).
ip_version
Specifies the IP version
to match.
ip_version must
be one of the following:
Usage:
Use this command to
define rule expressions to match version number in IP header.
Example:
The following command
defines a rule expression to match user traffic for the IP version
ipv6:
ip version = ipv6
mms any-match
This command allows
you to define rule expressions to match all Multimedia Messenging
Service (MMS) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all MMS packets.
Example:
The following command
defines a rule expression to match all MMS packets:
mms any-match = TRUE
mms bcc
This command allows
you to define rule expressions to match recipient addresses in the
bcc field of MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
bcc [ case-sensitive ] operator bcc_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
bcc_address
Specifies the “bcc” address/value
to match.
bcc_address must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match recipient address in the “bcc” field of
MMS messages.
Example:
The following command
defines a rule expression to match recipient address containing
test1 in “bcc” field
of MMS messages:
mms bcc contains test1
mms cc
This command allows
you to define rule expressions to match recipient addresses in the
cc field of MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
cc [ case-sensitive ] operator cc_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
cc_address
Specifies the “cc” address/value
to match.
cc_address must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match recipient addresses in “cc” field
of MMS messages.
Example:
The following command
defines a rule expression to match recipient address containing
test1 in
the “cc” field of MMS messages:
mms cc contains test1
mms content location
This command allows
you to define rule expressions to match the content-location field
of MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
content location [ case-sensitive ] operator string
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
string
Specifies the value
to match.
string must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match the content-location field of MMS messages.
Example:
The following command
defines a rule expression to match
test1 in
content-location field of MMS messages:
mms content location
contains test1
mms content type
This command allows
you to define rule expressions to match the content-type field of
MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
content type [ case-sensitive ] operator content_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_type
Specifies the MMS
content type to match.
content_type must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match content-type field of MMS messages.
Example:
The following command
defines a rule expression to match
image in
content-type field of MMS messages:
mms content type contains image
mms downlink
This command allows
you to define rule expressions to match downlink (network to subscriber)
MMS packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
downlink operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the downlink
(from the Mobile Node direction) status to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match downlink MMS packets.
Example:
The following command
defines a rule expression to match all downlink MMS packets:
mms downlink = TRUE
mms from
This command allows
you to define rule expressions to match the “from” field
in MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
from [ case-sensitive ] operator from_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
from_address
Specifies the “from” address/value
to match.
from_address must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match the “from” field
of MMS messages.
Example:
The following command
defines a rule expression to match
test1 in
the “from” field of MMS messages:
mms from contains test1
mms message-id
This command allows
you to define rule expressions to match the message ID field of
MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
message-id [ case-sensitive ] operator message_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
message_id
Specifies the MMS
message ID to match.
message_id must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the “message ID” field
of MMS messages.
Example:
The following command
defines a rule expression to match
test1 in
the “message ID” field of MMS messages:
mms message-id contains test1
mms pdu-type
This command allows
you to define rule expressions to match Protocol Data Unit (PDU)
type in the current MMS packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
pdu-type operator
pdu_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
pdu_type
Specifies the MMS
PDU type to match.
pdu_type must
be one of the following:
- mms-pdu-type-m-acknowledge-ind
- mms-pdu-type-m-delivery-ind
- mms-pdu-type-m-http-get
- mms-pdu-type-m-notification-ind
- mms-pdu-type-m-notify-rsp-ind
- mms-pdu-type-m-retrieve-conf
- mms-pdu-type-m-send-conf
- mms-pdu-type-m-send-request
- mms-pdu-type-m-wsp-get
- mms-pdu-type-response:
This option is deprecated. Use the mms_pdu_type_m_retrieve_conf option instead.
Usage:
Use this command to
define rule expressions to match the PDU type in the current MMS packet.
Example:
The following command
defines a rule expression to match PDU type
mms-pdu-type-m-http-get in
the current MMS packet:
mms pdu-type = mms-pdu-type-m-http-get
mms previous-state
This command allows
you to define rule expressions to match the previous state of MMS
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
previous-state operator mss_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
mms_previous_state
Specifies the previous
state to match.
mms_previous_state must
be one of the following:
- delayed-ack-pending:
This option is deprecated, use retrieve-conf-received.
- delayed-m-notify-rsp-sent:
This option is deprecated, use notify-rsp-sent.
- delayed-retrieval-pending:
This option is deprecated, use retrieval-pending.
- immediate-retrieval-pending:
This option is deprecated, use retrieval-pending.
- init
- m-send-conf-rcvd:
This option is deprecated, use send-success.
- m-send-req-sent
- notification-ind-rcvd
- notify-rsp-sent
- retrieval-pending
- retrieve-conf-received
- send-success
Usage:
Use this command to
define rule expressions to match the previous state of MMS sessions.
Example:
The following command
defines a rule expression to match user traffic based on MMS previous
state of
retrieval-pending:
mms previous-state = retrieval-pending
mms response status
This command allows
you to define rule expressions to match the response status code
of MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
response status operator status_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
status_code
Specifies the status
code to match.
status_code must
be an integer from 128 through 136.
Usage:
Use this command to
define rule expressions to match response status code of MMS messages.
Example:
The following command
defines a rule expression to match user traffic based on MMS response
status code
129:
mms response status = 129
mms state
This command allows
you to define rule expressions to match the current state of MMS
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies current
state of MMS session to match.
current_state must
be one of the following:
- delayed-ack-pending:
This option is deprecated, use retrieve-conf-received.
- delayed-m-notify-rsp-sent:
This option is deprecated, use notify-rsp-sent.
- delayed-retrieval-pending:
This option is deprecated, use retrieval-pending.
- delivery-failed
- delivery-success
- immediate-retrieval-pending:
This option is deprecated, use retrieval-pending.
- m-send-conf-rcvd:
This option is deprecated, use send-success.
- m-send-req-sent
- notification-ind-rcvd
- notify-rsp-sent
- retrieval-failed
- retrieval-pending
- retrieval-success
- retrieve-conf-received
- send-success
Usage:
Use this command to
define rule expressions to match the current state of MMS session.
Example:
The following command
defines a rule expression to match user traffic based on the current state
of MMS session as
retrieval-failed:
mms state = retrieval-failed
mms status
This command allows
you to define rule expressions to match the current status of MMS
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
status operator status
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
status
Specifies the MMS
status to match.
status must
be an integer from 128 through 132.
Usage:
Use this command to
define rule expressions to match current status of MMS sessions.
Example:
The following command
defines a rule expression to match user traffic based on MMS current
status
130:
mms status = 130
mms subject
This command allows
you to define rule expressions to match the “subject” field of
MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
subject [ case-sensitive ] operator subject_string
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
subject_string
Specifies the value
to match.
subject_string must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match “subject” field
of MMS messages.
Example:
The following command
defines a rule expression to match
test1 in
the “subject” field of MMS messages:
mms subject contains test1
mms tid
This command allows
you to define rule expressions to match the “Transaction Identifier” (TID)
field of MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
tid [ case-sensitive ] operator transaction_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
transaction_id
Specifies the MMS
TID to match.
transaction_id must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match TID field of MMS messages.
Example:
The following command
defines a rule expression to match
test in
TID field of MMS messages:
mms tid = test
mms to
This command allows
you to define rule expressions to match the “to” field
of MMS messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
to [ case-sensitive ] operator to_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
to_address
Specifies the “to” address/name
to match.
to_address must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match “to” field of
MMS messages.
Example:
The following command
defines a rule expression to match user traffic based on
test in “to” field
of MMS messages:
mms to = test
mms uplink
This command allows
you to define rule expressions to match uplink (subscriber to network)
MMS packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
uplink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the uplink
(from the Mobile Node direction) status to match.
condition must
one of the following:
Usage:
Use this command to
define rule expressions to match uplink MMS packets.
Example:
The following command
defines a rule expression to match uplink MMS packets:
mms uplink = TRUE
mms version
This command allows
you to define rule expressions to match the MMS version in MMS packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] mms
version operator version
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
version
Specifies the MMS
version to match.
version must
be an integer from 1 through 65535.
IMPORTANT:
MMS protocol analyzer
supports decoding of only MMS version 1.0.
Usage:
Use this command to
define rule expressions to match MMS version in MMS packets.
Example:
The following command
defines a rule expression to match MMS version
1.0 in MMS
packets:
mms version = 1
multi-line-or all-lines
This command applies
the OR operator to all lines in the current ruledef.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] multi-line-or
all-lines
no
If previously configured,
deletes this configuration in the current ruledef.
multi-line-or all-lines
Applies the OR operator
to all lines in the current ruledef.
Usage:
When a ruledef is
evaluated, if the multi-line-or
all-lines command is configured, the logical OR operator
is applied to all the rule expressions in the ruledef to decide
if the ruledef matches or not. If the multi-line-or all-lines command
is not configured, the logical AND operator is applied to all the
rule expressions.
The intent of this
command is to allow a single ruledef to specify multiple URL expressions.
Otherwise, multiple ruledefs need to be created, each with one URL
expression. When this CLI command is used, each expression in the
ruledef impacts the total number of ruledefs allowed. So from a “maximum
number of possible ruledefs” perspective, it makes no difference
whether there are N ruledefs with one expression each, or one ruledef
with N expressions.
p2p any-match
This command allows
you to define rule expressions to match all Peer-to-Peer (P2P) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] p2p
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
condition
Specifies the condition
to match.
condition must
be one of the following:
- TRUE: The
rule matches any P2P traffic.
- FALSE: The
rule does not match any P2P traffic.
Usage:
Use this command to
define rule expressions to match all P2P packets.
Example:
The following command
defines a rule expression to match all P2P packets:
p2p any-match = TRUE
p2p protocol
This command allows
you to define rule expressions to match P2P protocol. This command
must be used for charging purposes. It must not be used for
detection purposes.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] p2p
protocol operator
protocol
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be = (equals).
protocol
Specifies the protocol
to match.
protocol must
be one of the following:
Usage:
Use this command to
define rule expressions to detect P2P protocols for charging purposes.
For detection purposes use the p2p-detection protocol command
in the ACS Configuration Mode.
Example:
The following command
specifies to detect orb protocol for charging purposes:
p2p protocol = orb
p2p traffic-type
This command allows
you to define rule expressions to match traffic type—audio,
video, and unclassified.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] p2p
traffic-type operator traffic_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
traffic_type
Specifies the traffic
type to match.
In 11.0 and later releases, traffic_type must
be one of the following:
In
10.0 and earlier releases, traffic_type must
be voice.
Usage:
Use this command to
configure the system to detect voice or non-voice P2P traffic. When the
detection of a protocol is enabled then the detection of sub-type
is enabled by default.
Example:
The following command
configures the system to detect video traffic:
p2p traffic-type = video
pop3 any-match
This command allows
you to define rule expressions to match all Post Office Protocol 3
(POP3) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all POP3 packets.
Example:
The following command
defines a rule expression to match all POP3 packets:
pop3 any-match = TRUE
pop3 command args
This command allows
you to define rule expressions to match POP3 command arguments.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
command args [ case-sensitive ] operator argument
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
argument
Specifies the command
argument to match.
argument must
be an alphanumeric string of 1 through 40 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match POP3 command argument.
Example:
The following command
defines a rule expression to match POP3 command argument
test:
pop3 command args = test
pop3 command id
This command allows
you to define rule expressions to match POP3 command ID.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
command id operator command_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
command_id
Specifies the command
ID to match.
command_id must
be an integer from 1 through 12.
Usage:
Use this command to
define rule expressions to match a POP3 command ID.
Example:
The following command
defines a rule expression to match POP3 command ID
8:
pop3 command id = 8
pop3 command name
This command allows
you to define rule expressions to match command sent within a POP3
packet.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
command name operator command_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
command_name
Specifies the command
name to match.
command_name must
be one of the following:
- apop
- dele
- list
- noop
- pass
- quit
- retr
- reset
- stat
- top
- uidl
- user
Usage:
Use this command to
define rule expressions to match commands sent within POP3 packets.
Example:
The following command
defines a rule expression to match the
list command
sent in POP3 packets:
pop3 command name = list
pop3 mail-size
This command allows
you to define rule expressions to match POP3 mail size.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
mail-size { operator mail_size | { range | !range } range_from to range_to }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
{ range | !range } range_from to range_to
Enables or disables
the range criteria.
- range: Enables
the range criteria.
- !range:
Disables the range criteria.
- range_from:
Specifies start of the range.range_from must
be an integer from 1 through 4000000000.
- range_to:
Specifies the end range.range_to must
be an integer from 1 through 4000000000, and must be greater than range_from.
mail_size
Specifies the mail
size to match.
mail_size must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match POP3 mail size.
Example:
The following command
defines a rule expression to match POP3 mail size of
40000:
pop3 mail-size = 40000
pop3 pdu-length
This command allows
you to define rule expressions to match the Protocol Data Unit (PDU)
length of POP3 packets equal to the POP3 header plus POP3 payload.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
pdu-length { operator pdu_length | { { range | !range } range_from to range_to } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
{ range | !range } range_from to range_to
Enables or disables
the range criteria.
- range: Enables
the range criteria.
- !range:
Disables the range criteria.
- range_from:
Specifies the start of range as an integer from 0 through 65535.
- range_to:
Specifies the end range. range_to must
be an integer from 0 through 65535, and must be greater than range_from.
pdu_length
Specifies the POP3
PDU length to match.
pdu_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match POP3 PDU length (header + payload)
in bytes.
Example:
The following command
defines a rule expression to match PDU length of
1000 bytes:
pop3 pdu-length = 1000
pop3 pdu-type
This command allows
you to define rule expressions to match POP3 Protocol Data Unit
(PDU) type.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
pdu-type operator
pdu_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
pdu_type
Specifies the POP3
PDU type to match.
pdu_type must
be one of the following:
- command-packet
- data-packet
- relay-packet
Usage:
Use this command to
define rule expressions to match POP3 PDU type.
Example:
The following command
defines a rule expression to match POP3 PDU type
relay-packet:
pop3 pdu-type = relay-packet
pop3 previous-state
This command allows
you to define rule expressions to match the previous state of POP3
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
previous-state operator pop3_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
pop3_previous_state
Specifies the previous
state to match.
pop3_previous_state must
be one of the following:
- connected:
Connected state
- data transaction:
Data transaction state
- init: Initialized
state
- reply-error:
Reply error state
- reply-ok:
Response ok state
- waiting-for-reply:
Waiting for reply state
Usage:
Use this command to
define rule expressions to match a POP3 previous state.
Example:
The following command
defines a rule expression to match user traffic for a POP3 previous state
of
connected:
pop3 previous-state = connected
pop3 reply args
This command allows
you to define rule expressions to match specified arguments with
POP3 reply.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
reply args [ case-sensitive ] operator argument
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
argument
Specifies the reply
argument to match.
In
11.0 and earlier releases, argument must
be an alphanumeric string of 1 through 512 characters, and may contain
punctuation characters.
In 12.0 and later releases, argument must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match specified arguments within a POP3 reply.
Example:
The following command
defines a rule expression to match the argument
test with
POP3 replies:
pop3 reply args = test
pop3 reply id
This command allows
you to define rule expressions to match POP3 reply ID.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
reply id operator
reply_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
reply_id
Specifies the POP3
reply ID to match.
reply_id must
be one of the following:
- 0: Unknown
reply
- 1: +OK
- 2: -Error
Usage:
Use this command to
define rule expressions to match POP3 reply ID.
Example:
The following command
defines a rule expression to match POP3 reply ID of
2:
pop3 reply id = 2
pop3 reply status
This command allows
you to define rule expressions to match POP3 reply status.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
reply status operator reply_status
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
reply_status
Specifies the reply
status to match.
reply_status must
be one of the following:
- +OK:
Reply OK
- -ERR: Reply
error
Usage:
Use this command to
define rule expressions to match POP3 reply status.
Example:
The following command
defines a rule expression to match POP3 reply status
+OK:
pop3 reply status = +OK
pop3 session-length
This command allows
you to define rule expressions to match POP3 session-length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
session-length { operator session_length | { range | !range } range_from to range_to }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the POP3
session length to match.
session_length must
be an integer from 1 through 4000000000.
{ range | !range } range_from to range_to
Enables or disables
the range criteria for PoP3 session length.
- range: Enables
the range criteria for POP3 session length.
- !range:
Disables the range criteria for POP3 session length.
- range_from:
Specifies the start of range of POP3 session as an integer from
1 through 4000000000, but less than or equal to range_to.
- range_to:
Specifies the end of range of POP3 session as an integer from 1
through 4000000000, but greater than or equal to range_from.
Usage:
Use this command to
define rule expressions to match the total length of POP3 sessions.
Example:
The following command
defines a rule expression to match a POP3 session length of
40000:
pop3 session-length = 40000
pop3 state
This command allows
you to define rule expressions to match the current state of POP3
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- close
- connected
- data-transaction
- reply-error
- reply-ok
- waiting-for-reply
Usage:
Use this command to
define rule expressions to match the current state of POP3 sessions.
Example:
The following command
defines a rule expression to match the POP3 current state
close:
pop3 state = close
pop3 user-name
This command allows
you to define rule expressions to match POP3 user name.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pop3
user-name [ case-sensitive ] operator user_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
user_name
Specifies the POP3
user name to match.
user_name must
be an alphanumeric string of 1 through 64 characters, and may contain
punctuation characters and space.
Usage:
Use this command to
define rule expressions to match POP3 user name.
Example:
The following command
defines a rule expression to match POP3 user name
test:
pop3 user-name = test
pptp any-match
This command allows
you to defines a rule expression to match all Point-to-Point Tunneling
Protocol (PPTP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pptp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
specify a ruledef to analyze user traffic based on the PPTP any
match status.
Example:
The following command
creates a PPTP ruledef for analyzing user traffic using a PPTP any match
status of
FALSE:
pptp any-match = FALSE
pptp ctrl-msg-type
This command allows
you to define rule expressions to match control message type in
PPTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pptp
ctrl-msg-type = message_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
message_type
message_type must
be one of the following:
- call-clear-request
- call-disconnect-notify
- echo-reply
- echo-request
- incoming-call-connected
- incoming-call-reply
- incoming-call-request
- outgoing-call-reply
- outgoing-call-request
- set-link-info
- start-control-connection-reply
- start-control-connection-request
- stop-control-connection-reply
- stop-control-connection-request
- wan-error-notify
Usage:
Use this command to
define rule expressions to match the control message type in PPTP packets.
Example:
The following command
specifies to match
echo-reply message
type:
pptp ctrl-msg-type = echo-reply
pptp gre any-match
This command allows
you to define rule expressions to match all PPTP Generic Routing
Encapsulation (GRE) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] pptp
gre any-match = condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
condition
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all PPTP GRE packets.
Example:
The following command
defines a rule expression to match all PPTP GRE packets:
pptp gre any-match = TRUE
rtcp any-match
This command allows
you to define rule expressions to match all Real-Time Transport
Control Protocol (RTCP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtcp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- TRUE: The
rule matches any RTCP traffic.
- FALSE: The
rule does not match any RTCP traffic.
Usage:
Use this command to
define rule expressions to match all RTCP packets.
Example:
The following command
defines a rule expression to match all RTCP packets:
rtcp any-match = TRUE
rtcp jitter
This command allows
you to define rule expressions to match the jitter parameter in
RTCP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtcp
jitter operator
jitter
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
jitter
Specifies the RTCP
inter-arrival jitter value (in milliseconds) to match.
jitter must
be an integer from 0 through 4294967295.
Usage:
Use this command to
define rule expressions to match jitter parameter found in the RTCP sender
report or receiver report packets.
Example:
The following command
matches packets for jitter greater than or equal to 1295 milliseconds:
rtcp jitter >= 1295
rtcp parent-proto
This command allows
you to define rule expressions to match the parent protocol of the
RTCP flow.
IMPORTANT:
This command is available
only in 8.1
and 9.0 and later releases.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtcp
parent-proto operator parent_protocol
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
parent_protocol
Specifies the RTCP
parent protocol to match.
parent_protocol must
be one of the following:
- rtsp: Real
Time Streaming Protocol
- sip: Session
Initiation Protocol
Usage:
Use this command to
define rule expressions to match user traffic based on the parent protocol
of the RTCP flow.
Example:
The following command
defines a rule expression to match user traffic based on SIP being the
parent protocol of the RTCP flow:
rtcp parent-proto = sip
rtcp pdu-length
This command allows
you to define rule expressions to match Protocol Data Unit (PDU)
length of RTCP packets, (RTCP header + RTCP payload).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtcp
pdu-length operator pdu_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_length
Specifies the RTCP
length (in bytes) to match.
In 8.1 and later releases, pdu_length must
be an integer from 1 through 65535.
In 8.0, pdu_length must
be an integer from 1 through 2000.
Usage:
Use this command to
define rule expressions to match RTCP PDU length (header + payload)
in bytes.
Example:
The following command
defines a rule expression to match user traffic based on an RTCP PDU
length of
10000 bytes:
rtcp pdu-length = 10000
rtcp rtsp-id
This command allows
you to define rule expressions to match user traffic based on a
Real-time Streaming Protocol (RTSP) ID associated with an RTCP flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtcp
rtsp-id [ case-sensitive ] operator rtsp_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
rtsp_id
Specifies the value
to match.
rtsp_id must
be an alphanumeric string of 1 through 32 characters.
Usage:
Use this command to
define rule expressions to match an RTSP ID associated with an RTCP
flow.
Example:
The following command
defines a rule expression to match user traffic containing RTSP message
ID of
test1:
rtcp rtsp-id contains test1
rtcp session-length
This command allows
you to define rule expressions to match the total length of RTCP
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtcp
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the RTCP
total session length (in bytes) to match.
In 8.1 and later releases, session_length must be
an integer from 1 through 4000000000.
In 8.0, session_length must
be an integer from 1 through 40000000.
Usage:
Use this command to
define rule expressions to match RTCP total session length.
Example:
The following command
defines a rule expression to match user traffic for a total RTCP session
length of
200000:
rtcp session-length = 200000
rtcp uri
This command allows
you to define rule expressions to match URI associated with RTCP
flows.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtcp
uri [ case-sensitive ] operator uri
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
uri
Specifies the URI
to match.
uri must
be an alphanumeric string of 1 through 127 characters and may include
punctuation characters.
Usage:
Use this command to
define rule expressions to match URI associated with RTCP flow.
Example:
The following command
defines a rule expression to match user traffic for RTCP URI
rtsp://www.example.org:
rtcp uri = rtsp://www.example.org
rtp any-match
This command allows
you to define rule expressions to match all Real-time Transport
Protocol (RTP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all RTP packets.
Example:
The following command
defines a rule expression to match all RTP packets:
rtp any-match = TRUE
rtp parent-proto
This command allows
you to define rule expressions to match the parent protocol of the
RTP flow.
IMPORTANT:
This command is available
only in 8.1
and in 9.0 and later releases.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtp
parent-proto operator parent_protocol
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
parent_protocol
Specifies the RTP
parent protocol to match.
parent_protocol must
be one of the following:
- rtsp: Real
Time Streaming Protocol
- sip: Session
Initiation Protocol
Usage:
Use this command to
define rule expressions to match user traffic based on the parent protocol
of the RTP flow.
Example:
The following command
defines a rule expression to match user traffic with parent protocol of
the RTP flow being SIP:
rtp parent-proto = sip
rtp pdu-length
This command allows
you to define rule expressions to match PDU length of RTP packets,
equal to the RTP header + RTP payload.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtp
pdu-length operator pdu_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_length
Specifies the RTP
PDU length (in bytes) to match.
In 8.1 and later releases, pdu_length must
be an integer from 1 through 65535.
In 8.0, pdu_length must
be an integer from 1 through 2000.
Usage:
Use this command to
define rule expressions to match PDU length (header + payload)
of RTP packets in bytes.
Example:
The following command
defines a rule expression to match an RTP PDU length of
1000 bytes:
rtp pdu-length = 1000
rtp rtsp-id
This command allows
you to define rule expressions to match RTSP ID associated with
RTP flows.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtp
rtsp-id [ case-sensitive ] operator rtsp_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
rtsp_id
Specifies the RTSP
ID to match.
rtsp_id must
be an alphanumeric string of 1 through 32 characters.
Usage:
Use this command to
define rule expressions to match RTSP ID associated with RTP flows.
Example:
The following command
defines a rule expression to match RTSP message ID of
test1:
rtp rtsp-id contains test1
rtp session-length
This command allows
you to define rule expressions to match the total length of RTP
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtp
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the RTP
total session length (in bytes) to match.
In 8.1 and later releases, session_length must be
an integer from 1 through 4000000000.
In
release 8.0, session_length must
be an integer from 1 through 40000000.
Usage:
Use this command to
define rule expressions to match the RTP total session length. The session-length
is calculated by adding together the “rtp pdu-length” values
of all relevant packets.
Example:
The following command
defines a rule expression to match a total RTP session length of
200000:
rtp session-length = 200000
rtp uri
This command allows
you to define rule expressions to match the media URI associated
with RTP flows.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtp
uri [ case-sensitive ] operator uri
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
uri
Specifies the RTP
URI to match.
uri must
be an alphanumeric string of 1 through 127 characters. uri allows
punctuation characters and excludes the “host” portion.
Usage:
Use this command to
define rule expressions to match media URI associated with RTP flow.
Example:
The following command
defines a rule expression to match the RTP URI string
rtsp://www.example.org:
rtp uri = rtsp://www.example.org
rtsp any-match
This command allows
you to define rule expressions to match all Real Time Streaming
Protocol (RTSP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all RTSP packets.
Example:
The following command
defines a rule expression to match all RTSP packets:
rtsp any-match = TRUE
rtsp content length
This command allows
you to define rule expressions to match the content length field
in RTSP header.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
content length operator content_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
content_length
Specifies the content
length (in bytes) to match.
content_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match “content length” field
in RTSP headers.
Example:
The following command
defines a rule expression to match content length of
10000 in
RTSP headers:
rtsp content length = 10000
rtsp content type
This command allows
you to define rule expressions to match the content type field in
RTSP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
content type [ case-sensitive ] operator content_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_type
Specifies the content
type to match.
content_type must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match “content type” field
in RTSP headers.
Example:
The following command
defines a rule expression to match RTSP content type
abc100:
rtsp content type = abc100
rtsp date
This command allows
you to define rule expressions to match the date field in the RTSP
message headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
date [ case-sensitive ] operator date
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
date
Specifies the date
in RTSP header to match.
date must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the “date” field
in the RTSP message headers.
Example:
The following command
defines a rule expression to match the date
12_04_2006 in
RTSP message headers:
rtsp date = 12_04_2006
rtsp previous-state
This command allows
you to define rule expressions to match the previous state of RTSP
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
previous-state operator rtsp_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
rtsp_previous_state
Specifies the previous
state to match.
rtsp_previous_state must
be one of the following:
- init
- open
- play
- ready
- record
Usage:
Use this command to
define rule expressions to match the previous state of RTSP sessions.
Example:
The following command
defines a rule expression to match RTSP previous state
ready:
rtsp previous-state = ready
rtsp reply code
This command allows
you to define rule expressions to match the return code in RTSP
responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
reply code operator reply_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
reply_code
Specifies the RTSP
reply code to match.
reply_code must
be an integer from 100 through 599.
Usage:
Use this command to
define rule expressions to match the return code in RTSP response.
Example:
The following command
defines a rule expression to match RTSP return code
302:
rtsp reply code = 302
rtsp request method
This command allows
you to define rule expressions to match the method in RTSP responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
request method operator request_method
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
request_method
Specifies the RTSP
request method to match.
request_method must
be one of the following requests:
- announce
- describe
- get-parameter
- options
- pause
- play
- record
- redirect
- set-parameter
- setup
- teardown
Usage:
Use this command to
define rule expressions to match the method in RTSP responses.
Example:
The following command
defines a rule expression to match RTSP request method
announce:
rtsp request method = announce
rtsp request packet
This command allows
you to define rule expressions to match all RTSP request messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
request packet operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- TRUE: Is
request
- FALSE: Is
response
Usage:
Use this command to
define rule expressions to match all RTSP request messages.
Example:
The following command
defines a rule expression to match all RTSP request messages:
rtsp request packet = TRUE
rtsp rtp-seq
This command allows
you to define rule expressions to match the “seq” field
in the RTP-Info header of RTSP responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
rtp-seq operator sequence_number
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
sequence_number
Specifies the sequence
number in the RTSP RTP-Info field to match.
sequence_number must
be an alphanumeric string of 0 through 65535 characters in Normal
Play Time (NPT) time format.
Usage:
Use this command to
define rule expressions to match user traffic matching the “seq” field in
the RTP-Info header of RTSP response for a PLAY request.
Example:
The following command
defines a rule expression to match user traffic based on RTP-seq number
npt-12:34:59:
rtsp rtp-seq = npt-12:34:59
rtsp rtp-time
This command allows
you to define rule expressions to match the “time” field
in RTP-Info header of RTSP responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
rtp-time operator
time
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
time
Specifies the time
to match.
time must
be an alphanumeric string of 1 through 2147483647 characters in
Normal Play Time (NPT) time format.
Usage:
Use this command to
define rule expressions to match the “time” field
in the RTP-Info header of RTSP response for a PLAY request.
Example:
The following command
defines a rule expression to match RTP timestamp of
20120123T153600Z:
rtsp rtp-time = 20120123T153600Z
rtsp rtp-uri
This command allows
you to define rule expressions to match the URI field in the RTP-Info
header of RTSP responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
rtp-uri [ case-sensitive ] operator uri
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
uri
Specifies the value
to match with the URI in RTP-Info header of the RTSP message.
uri must
be an alphanumeric string of 1 through 127 characters. uri allows
punctuation characters and excludes the “host” portion.
Usage:
Use this command to
define rule expressions to match the URI field in the RTP-Info header
of the RTSP response for a PLAY request.
Example:
The following command
defines a rule expression to match user traffic based on RTP-URI string
rtsp://www.foo.com in
the RTP-info header of RTSP packet:
rtsp rtp-uri = rtsp://www.foo.com
rtsp session-id
This command allows
you to define rule expressions to match the session ID in RTSP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
session-id [ case-sensitive ] operator session_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
session_id
Specifies the session
ID to match.
session_id must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the session ID in RTSP messages.
Example:
The following command
defines a rule expression to match the RTSP session ID
0123abc100:
rtsp session-id = 0123abc100
rtsp session-length
This command allows
you to define rule expressions to match the total length of RTSP
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the RTSP
session length (in bytes) to match.
session_length must
be an integer from 1 through 40000000.
Usage:
Use this command to
define rule expressions to match the total length of RTSP sessions. That
is, the sum of the “rtsp pdu-length” values of
all relevant packets.
Example:
The following command
defines a rule expression to match RTSP session length of
3000000 bytes:
rtsp session-length = 3000000
rtsp state
This command allows
you to define rule expressions to match the current state of RTSP
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- end
- init
- open
- play
- ready
- record
Usage:
Use this command to
define rule expressions to match the current state of RTSP sessions.
Example:
The following command
defines a rule expression to match RTSP current state
init:
rtsp state = init
rtsp uri
This command allows
you to define rule expressions to match URI in RTSP request message.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
uri [ case-sensitive ] operator uri
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
uri
Specifies the URI
to match.
uri must
be an alphanumeric string of 1 through 127 characters. uri allows
punctuation characters and excludes the “host” portion.
Usage:
Use this command to
define rule expressions to match URI in RTSP request.
Example:
The following command
defines a rule expression to match user traffic based on RTSP URI
rtsp://www.example.com:554/twister/audiotrack:
rtsp uri = rtsp://www.example.com:554/twister/audiotrack
rtsp uri sub-part
This command allows
you to define rule expressions to match user traffic by parsing
sub-parts of the URI in an RTSP request message.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
uri sub-part { { absolute-path | host | query } [ case-sensitive ] operator string | port { port_operator
port_value | { range | !range } range_from to range_to } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
absolute-path
Specifies the absolute
path matching criteria to RTSP URI in an RTSP request message.
host
Specifies the host
name matching criteria to RTSP URI in an RTSP request message.
query
Specifies the query
string matching criteria to RTSP URI in an RTSP request message.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
string
Specifies the absolute
path/host name or query string to match with the URI in
RTSP header.
string must
be an alphanumeric string of 1 through 127 characters. string allows
punctuation characters and excludes the “host” portion.
port
Specifies the port
related matching for RTSP URI in an RTSP request message.
port_operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_value
Specifies the RTSP
port number to match with port rule in the RTSP flow as an integer
from 0 through 65535.
{ range | !range } range_from to range_to }
Enables or disables
the range criteria for RTSP flow ports.
- range: Enables
the range criteria for RTSP flow ports.
- !range:
Disables the range criteria for RTSP flow ports.
- range_from:
Specifies the start of range of RTSP flow ports as an integer from
0 through 65535, but less than or equal to range_to.
- range_to:
Specifies the end of range of RTSP flow ports as an integer from
0 through 65535, but more than or equal to range_from.
Usage:
Use this command to
define rule expressions to match URI sub parts like host, absolute path,
port, and query in RTSP request messages.
Example:
The following command
defines a URI sub part rule expression to analyze user traffic based on
an RTSP URI port number between
1023 and
1068:
rtsp uri sub-part
port range 1023 to 1068
rtsp user-agent
This command allows
you to define rule expressions to match the user-agent field in
RTSP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] rtsp
user-agent [ case-sensitive ] operator user_agent
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
user_agent
Specifies the user
agent to match.
user_agent must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the “user-agent” field
in RTSP header.
Example:
The following command
defines a rule expression to match
test in “user-agent” field
of RTSP header:
rtsp user-agent = test
rule-application
This command allows
you to specify the purpose of a ruledef, such as for charging, post-processing,
routing, and so on.
Privilege:
Security Administrator,
Administrator
Syntax
rule-application { charging | post-processing | routing }
no rule-application
no
Disables the rule
application configuration.
charging
Specifies that the
current ruledef is for charging purposes.
Up to 2,048 rule definitions
can be defined for the charging application in an Active Charging
Service.
Default: Enabled
post-processing
IMPORTANT:
The post-processing keyword
is available only in 8.3 and later releases.
Specifies that the
current ruledef is for post-processing purposes. This enables processing
of packets even if the rule matching for them has been disabled.
routing
Specifies that the
current ruledef is for routing purposes. Up to 256 rule definitions
can be defined for routing in an Active Charging Service. Default:
Disabled
Usage:
Use this command to
specify the rule application for a rule definition.
If, when configuring
a ruledef, the rule-application is not specified, by default the
system configures the ruledef as a charging ruledef.
Example:
The following command
configures the rule application “charging” to
the current rule definition:
rule-application charging
sdp any-match
This command allows
you to define rule expressions to match all packets that contain
Session Description Protocol (SDP) descriptions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sdp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all packets containing SDP descriptions.
Example:
The following command
defines a rule expression to match all packets containing SDP descriptions:
sdp any-match = TRUE
sdp connection-ip-address
This command allows
you to define rule expressions to match the IP address in the connection
field of SDP descriptions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sdp
connection-ip-address operator ipv4_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
ipv4_address
Specifies the IP address
to match.
ipv4_address must
be in IPv4 dotted-decimal notation.
Usage:
Use this command to
define rule expressions to match IP address in the connection field
of SDP descriptions.
Example:
The following command
defines a rule expression to match the IP address
10.1.1.1 in
the connection field of SDP descriptions:
sdp connection-ip-address = 10.1.1.1
sdp media-audio-port
This command allows
you to define rule expressions to match media audio ports specified
in the media sections of SDP descriptions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sdp
media-audio-port operator port
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
port
Specifies the port
number to match.
port must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match media audio ports specified in
the media sections of SDP descriptions.
Example:
The following command
defines a rule expression to match media audio port
100 in the
media sections of SDP descriptions:
sdp media-audio-port = 100
sdp media-video-port
This command allows
you to define rule expressions to match media video ports specified
in the media sections of SDP descriptions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sdp
media-video-port operator port
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
port
Specifies the port
number to match.
port must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match media video ports specified in
the media sections of SDP descriptions.
Example:
The following command
defines a rule expression to match media video port
100 in the
media sections of SDP descriptions:
sdp media-video-port = 100
sdp uplink
This command allows
you to define rule expressions to match SDP descriptions in the
uplink (subscriber to network) direction.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sdp
uplink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Is
not uplink
- TRUE: Is
uplink
Usage:
Use this command to
define rule expressions to match SDP descriptions in uplink direction.
Example:
The following command
defines a rule expression to match all SDP descriptions in the uplink
direction:
sdp uplink = TRUE
secure-http any-match
This command allows
you to define rule expressions to match all Secure HTTP (HTTPS)
packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] secure-http
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all Secure HTTP packets.
Example:
The following command
defines a rule expression to match all HTTPS packets:
secure-http any-match = TRUE
secure-http uplink
This command allows
you to define rule expressions to match uplink (subscriber to network)
HTTPS packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] secure-http
uplink operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Is
not uplink
- TRUE: Is
uplink
Usage:
Use this command to
define rule expressions to match uplink HTTPS packets.
Example:
The following command
defines a rule expression to match all uplink HTTPS packets:
secure-http uplink = TRUE
sip any-match
This command allows
you to define rule expressions to match all Session Initiation Protocol
(SIP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all SIP packets.
Example:
The following command
defines a rule expression to match all SIP packets:
sip any-match = TRUE
sip call-id
This command allows
you to define rule expressions to match the Call ID in SIP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
call-id [ case-sensitive ] operator call_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
call-id
Specifies the call
ID to match.
call-id must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the call ID in SIP messages.
Example:
The following command
defines a rule expression to match the call ID
test in
SIP messages:
sip call-id = test
sip content length
This command allows
you to define rule expressions to match the content-length field
in SIP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
content length operator content_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
content_length
Specifies the SIP
content length to match.
content_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match the content-length field in SIP headers.
Example:
The following command
defines a rule expression to match the content length
10000 in
SIP headers:
sip content length = 10000
sip content type
This command allows
you to define rule expressions to match the content type field in
SIP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
content type [ case-sensitive ] operator content_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_type
Specifies the content
type to match.
content_type must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the content type field in SIP headers.
Example:
The following command
defines a rule expression to match content type
download_string in
SIP headers:
sip content type = download_string
sip from
This command allows
you to define rule expressions to match the from field in SIP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
from [ case-sensitive ] operator string
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
string
Specifies the value
to match.
string must
be an alphanumeric string of 1 through 127 characters, and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the “from” field
in SIP messages.
Example:
The following command
defines a rule expression to match
test1 in
the “from” field in SIP messages:
sip from contains test1
sip previous-state
This command allows
you to define rule expressions to match previous state of SIP sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
previous-state operator sip_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
sip_previous_state
Specifies the previous
state to match.
sip_previous_state must
be one of the following:
- init
- provisional-response
- request-sent
- response-fail
- response-ok
Usage:
Use this command to
define rule expressions to match a previous state of SIP sessions.
Example:
The following command
defines a rule expression to match user traffic based on the SIP previous
state of
request-sent:
sip previous-state = request-sent
sip reply code
This command allows
you to define rule expressions to match the reply code in SIP responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
reply code operator reply_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
reply_code
Specifies the SIP
reply code to match.
reply_code must
be an integer from 100 through 699.
Usage:
Use this command to
define rule expressions to match the reply code in SIP responses.
Example:
The following command
defines a rule expression to match
180 in the
reply code in SIP responses:
sip reply code = 180
sip request method
This command allows
you to define rule expressions to match the method in SIP requests.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
request method operator method
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
method
Specifies the SIP
method to match.
method must
be one of the following:
- ack
- bye
- cancel
- invite
- options
- register
Usage:
Use this command to
define rule expressions to match the method in SIP requests.
Example:
The following command
defines a rule expression to match the method
bye in SIP
request messages:
sip request method = bye
sip request packet
This command allows
you to define rule expressions to match all SIP request packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
request packet operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- =:
Equals
- !=:
Does not equal
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Is
a response
- TRUE: Is
a request
Usage:
Use this command to
define rule expressions to match all SIP request packets.
Example:
The following command
defines a rule expression to match all SIP request packets:
sip request packet = TRUE
sip state
This command allows
you to define rule expressions to match current state of the SIP
session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- ack-received
- provisional-response
- request-sent
- response-fail
- response-ok
Usage:
Use this command to
define rule expressions to match the current SIP session.
Example:
The following command
defines a rule expression to match user traffic based on SIP current state
request-sent:
sip state = request-sent
sip to
This command allows
you to define rule expressions to match the “to” field
in SIP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
to [ case-sensitive ] operator to_address
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
to_address
Specifies the “to” address/name
to match.
to_address must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the “to” field
in SIP messages.
Example:
The following command
defines a rule expression to match
test1 in
the “to” field of SIP messages:
sip to contains test1
sip uri
This command allows
you to define rule expressions to match the URI in SIP messages.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] sip
uri [ sub-part { headers | host | parameters | port | userinfo } ] [ case-sensitive ] operator uri
no
If previously configured,
deletes the specified rule expression from the current ruledef.
sub-part { headers | host | parameters | port | userinfo }
This is an optional
keyword that defines what sub-part of a SIP URI to check.
- headers:
Apply the rule to SIP URI header field.
- host: Apply
the rule the SIP URI host field.
- parameters:
Apply the rule to the SIP URI parameters field.
- port: Apply
the rule to the SIP URI port field.
- userinfo:
Apply the rule to the SIP URI userinfo field.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
The string for sub-part
keyword port must
be an integer and requires different operators. Use the following
operators with the port keyword:
- !=:
Does not equal
- <=:
Is less than
- =:
Equals
- >=:
Is greater than
uri
Specifies the SIP
URI to match.
uri must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
The string for sub-part
keyword port must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match the URI in SIP messages.
Example:
The following command
defines a rule expression to match the URI string
sip:10.1.1.1:5060 in
SIP messages:
sip uri = sip:10.1.1.1:5060
The following command
defines a rule expression to match the URI string
sip:nnnn@host:5060;user=phone in
SIP messages:
sip uri = sip:nnnn@host:5060;user=phone
smtp any-match
This command allows
you to define rule expressions to match all Simple Mail Transfer
Protocol (SMTP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all SMTP packets.
Example:
The following command
defines a rule expression to match all SMTP packets:
smtp any-match = TRUE
smtp command arguments
This command allows
you to define rule expressions to match SMTP command arguments.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
command arguments [ case-sensitive ] operator argument
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
argument
Specifies the command
argument to match.
argument must
be an alphanumeric string of 1 through 63 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match SMTP command arguments.
Example:
The following command
defines a rule expression to match SMTP command argument
test:
smtp command arguments = test
smtp command id
This command allows
you to define rule expressions to match SMTP command IDs.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
command id operator command_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
command_id
Specifies the command
argument to match.
command_id must
be an integer from 0 through 10.
Usage:
Use this command to
define rule expressions to match SMTP command IDs.
Example:
The following command
defines a rule expression to match SMTP command ID
8:
smtp command id = 8
smtp command name
This command allows
you to define rule expressions to match commands sent in SMTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
command name operator command_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
command_name
Specifies the command
name to match.
command_name must
be one of the following:
- bdat
- data
- ehlo
- expn
- helo
- mail-from
- noop
- quit
- rcpt-to
- rset
- vrfy
Usage:
Use this command to
define rule expressions to match commands sent in SMTP packets.
Example:
The following command
defines a rule expression to match
data command
in SMTP packets:
smtp command name = data
smtp mail-size
This command allows
you to define rule expressions to match the size of mail sent by
a SMTP client.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
mail-size { operator mail_size | { { range | !range } range_from to range_to } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
mail_size
Specifies the mail
size (in bytes) to match.
mail_size must
be an integer from 1 through 40000000.
{ range | !range } range_from to range_to
Enables or disables
the range criteria.
- range: Enables
the range criteria.
- !range:
Disables the range criteria.
- range_from:
Specifies the start of range as an integer from 1 through 40000000.
- range_to:
Specifies the end range. range_to must
be an integer from 1 through 40000000, and must be greater than range_from.
Usage:
Use this command to
define rule expressions to match the size of mail sent by an SMTP client.
Example:
The following command
defines a rule expression to match mail size of
40000 bytes:
smtp mail-size = 40000
smtp pdu-length
This command allows
you to define rule expressions to match the Protocol Data Unit (PDU)
length of SMTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
pdu-length { operator pdu_length | { { range | !range } range_from to range_to } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_length
Specifies the SMTP
PDU length (in bytes) to match.
pdu_length must
be an integer from 1 through 65535.
{ range | !range } range_from to range_to
Enables or disables
the range criteria.
- range: Enables
the range criteria.
- !range:
Disables the range criteria.
- range_from:
Specifies the start of range as an integer from 1 through 65535.
- range_to:
Specifies the end range. range_to must
be an integer from 1 through 65535, and must be greater than range_from.
Usage:
Use this command to
define rule expressions to match PDU length of SMTP packets, that is
headers + payload.
Example:
The following command
defines a rule expression to match a PDU length of
1600 bytes:
smtp pdu-length = 1600
smtp previous-state
This command allows
you to define rule expressions to match previous state of SMTP command
sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
previous-state operator smtp_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
smtp_previous_state
Specifies the previous
state to match.
smtp_previous_state must
be one of the following:
- close: Closed
state
- init: Initialized
state
- response-error:
Reply error state
- response-ok:
Response ok state
- waiting-for-response:
Waiting for response state
Usage:
Use this command to
define rule expressions to match a previous state of SMTP command sessions.
Example:
The following command
defines a rule expression to match user traffic based on SMTP previous
state
close:
smtp previous-state = close
smtp recipient
This command allows
you to define rule expressions to match the recipient e-mail ID
in the current SMTP transaction.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
recipient [ case-sensitive ] operator argument
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
argument
Specifies the response
argument to match.
argument must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the recipient e-mail ID in the current
SMTP transaction.
Example:
The following command
defines a rule expression to match recipient e-mail ID containing
test in
the current SMTP transaction:
smtp recipient contains test
smtp reply arguments
This command allows
you to define rule expressions to match the arguments within SMTP
responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
reply arguments [ case-sensitive ] operator argument
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
argument
Specifies the reply
argument to match.
argument must
be an alphanumeric string of 1 through 63 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the arguments with SMTP response.
Example:
The following command
defines a rule expression to match reply argument
forward-path in
SMTP response:
smtp reply arguments = forward-path
smtp reply id
This command allows
you to define rule expressions to match reply ID assigned to SMTP
responses.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
reply id operator
reply_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
reply_id
Specifies the reply
ID to match.
reply_id must
be one of the following:
- 0: +NO
reply
- 1: +OK
reply
- 2: -ERR
reply
Usage:
Use this command to
define rule expressions to reply ID assigned to SMTP response.
Example:
The following command
defines a rule expression to match reply ID
2 assigned
to SMTP response:
smtp reply id = 2
smtp reply status
This command allows
you to define rule expressions to match the reply status in SMTP
packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
reply status operator reply_status
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
reply_status
Specifies the SMTP
reply status to match.
reply_status must
be one of the following:
- +OK:
Response OK
- -ERR: Response
error
Usage:
Use this command to
define rule expressions to match reply status in SMTP packets.
Example:
The following command
defines a rule expression to match reply status
+OK in
SMTP packets:
smtp reply status = +OK
smtp sender
This command allows
you to define rule expressions to match sender e-mail ID in the
current SMTP transaction.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
sender [ case-sensitive ] operator sender
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
sender
Specifies the sender
value to match.
sender must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match sender e-mail ID in the current SMTP
transaction.
Example:
The following command
defines a rule expression to match sender e-mail ID containing
test in
the current SMTP transaction:
smtp sender contains test
smtp session-length
This command allows
you to define rule expressions to match total length of SMTP sessions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
session-length { operator session_length | { range | !range } range_from to range_to }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the session
length to match.
session_length must
be an integer from 1 through 40000000.
{ range | !range } range_from to range_to
Enables or disables
the range criteria.
- range: Enables
the range criteria.
- !range:
Disables the range criteria.
- range_from:
Specifies the start of range as an integer from 1 through 40000000.
- range_to:
Specifies the end range. range_to must
be an integer from 1 through 40000000, and must be greater than range_from.
Usage:
Use this command to
define rule expressions to match total length of SMTP session.
Example:
The following command
defines a rule expression to match SMTP session length of
4000000:
smtp session-length = 4000000
smtp state
This command allows
you to define rule expressions to match current state of a SMTP
command session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] smtp
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- close: Closed
state
- init: Initialized
state
- response-error:
Response of error state
- response-ok:
Response of ok state
- waiting-for-response:
Waiting for response state
Usage:
Use this command to
define rule expressions to match current state of SMTP command session.
Example:
The following command
defines a rule expression to match current state as
close of
SMTP command session:
smtp state = close
tcp analyzed out-of-order
This command allows
you to define rule expressions to determine whether the received
TCP packet was received before all of the earlier sequenced packets
have been received. This functionality is for whether the packet
was analyzed or discarded because the earlier sequenced packet(s)
was (were) not received before a timeout expired.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
analyzed out-of-order operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Not
analyzed
- TRUE: Analyzed
Usage:
This command is used
to set the status flag to ‘analyzed’ or ‘not
analyzed’ for all TCP packets received at the ACSMgr/SessMgr
prior to their earlier packets.
When a packet reaches
ACSMgr/SessMgr prior to earlier packet(s), it and subsequent packets
are buffered at ACSMgr/SessMgr as TCP out-of-order packets
and ACSMgr/SessMgr waits for missing packet(s) until the
time-out duration expires. If the packet(s) with the missing sequence
number(s) arrives within the time-out duration, all buffered packets
with the correct sequence will be presented to upper layers (HTTP
etc.) for analysis; otherwise buffered TCP out-of-order packets
will be sent to charging with analysis done flag at the TCP/IP
layer only.
If this command is
enabled the TCP out-of-order packets are marked and sent to TCP analyzer
as analyzed for charging action, otherwise they are discarded.
Example:
The following command
sets to analyze TCP out-of-order packets:
tcp analyzed out-of-order = TRUE
tcp any-match
This command allows
you to define rule expressions to match all TCP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Not
analyzed
- TRUE: Analyzed
Usage:
Use this command to
define rule expressions to match all TCP packets.
Example:
The following command
defines a rule expression to match all TCP packets:
tcp any-match = TRUE
tcp connection-initiator
This command allows
you to define rule expressions to match the TCP connection initiator.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
connection-initiator operator subscriber
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
subscriber
Specifies that the
connection is being initiated by the subscriber.
Usage:
Use this command to
define rule expressions to match the TCP connection initiator, and
to allow the operator to differentiate when the connection initiated
by subscriber or the subscriber is acting as a Transaction Control
Server (TCS) server.
Example:
The following command
defines a rule expression to match user traffic based on TCP connection
initiator
subscriber:
tcp connection-initiator = subscriber
tcp downlink
This command allows
you to define rule expressions to match downlink (network to subscriber)
TCP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
downlink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match downlink (to subscriber) TCP packets.
Example:
The following command
defines a rule expression to match downlink TCP packets:
tcp downlink = TRUE
tcp dst-port
This command allows
you to define rule expressions to match destination port number
in TCP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
range | !range
Specifies the range
criteria:
- !range:
Not in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the range of destination TCP ports.
- start_range must
be an integer from 1 through 65535.
- end_range must
be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port
map for the port range. port_map_name must be
an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match destination port number in TCP headers.
Example:
The following command
defines a rule expression to match destination port number
10 in TCP
headers:
tcp dst-port = 10
tcp duplicate
This command allows
you to define rule expressions to match TCP retransmissions.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
duplicate operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Not
duplicated/retransmitted
- TRUE: Duplicated/retransmitted
Usage:
Use this command to
specify rule expressions to match TCP retransmission.
Example:
The following command
defines a rule expression to match TCP retransmissions:
tcp duplicate = TRUE
tcp either-port
This command allows
you to define rule expressions to match either a destination or
source port number in TCP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
range | !range
Specifies the range
criteria:
- !range:
Not in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
- start_range must
be an integer from 1 through 65535.
- end_range must
be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port
map for the port range. port_map_name must be
an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match either a destination or source
port number in TCP headers.
This command expression
allows you to create a single ruledef using either-port, rather than
needing two ruledefs (one with dst-port and one with src-port).
Example:
The following command
defines a rule expression to match destination/source port
number
10 in
TCP header:
tcp either-port = 10
tcp error
This command allows
you to define rule expressions to identify errors, either in the
packet (for example, TCP checksum error) or in the TCP analyzer's
Finite State Machine (FSM).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
error operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define a rule expression to identify errors, either in the packet
(for example, TCP checksum error) or in the TCP analyzer's FSM.
Example:
The following command
defines a rule expression to match TCP errors:
tcp error = TRUE
tcp flag
This command allows
you to define rule expressions to match bit within the flag field
of TCP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
flag operator flag
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !contains:
Does not contain
- contains:
Contains
- !=:
Does not equal
- =:
Equals
flag
Specifies the flag
value to match.
flag must
be one of the following:
- ack: TCP
FLAG ACK
- fin: TCP
FLAG FIN
- push: TCP
FLAG PUSH
- reset: TCP
FLAG RESET
- syn: TCP
FLAG SYN
Usage:
Use this command to
define rule expressions to match a bit within the flag field of
TCP headers.
Example:
The following command
defines a rule expression to match
reset within
flag field of TCP headers:
tcp flag = reset
tcp initial-handshake-lost
This command allows
you to define rule expressions to match data packets when there
has been no TCP handshaking to establish TCP connection.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
initial-handshake-lost operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match data packets when there has been
no TCP handshaking to establish TCP connection.
Example:
The following command
defines a rule expression to identify TCP flow where the initial handshake
was not seen:
tcp initial-handshake-lost = TRUE
tcp payload
This command allows
you to define rule expressions to match hexadecimal or ASCII string
content in the payload protocol-signature field of the TCP payload.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
payload starts-with { hex-signature hex_string | string-signature string }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
hex-signature hex_string
Specifies hexadecimal
protocol signature in payload field.
hex_string must
be a dash-delimited list of hex data of size smaller than 32.
string-signature string
Specifies protocol
signature in payload field.
string must
be an alphanumeric string of 1 through 32 characters.
Usage:
Use this command to
define rule expressions to match for Hex/ASCII string content
in payload protocol-signature field.
This rule expression
is useful for detecting certain applications.
Example:
The following command
defines a rule expression to identify user traffic based on TCP protocol
signature
tcp1:
tcp payload starts-with
string-signature tcp1
tcp payload-length
This command allows
you to define rule expressions to match the length of a TCP payload.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
payload-length operator payload_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
payload_length
Specifies the TCP
payload length to match.
payload_length must
be an integer from 0 through 40000000.
Usage:
Use this command to
define rule expressions to match length of TCP payload, excluding the
TCP or lower layer headers.
To match TCP control
packets configure a payload-length of 0 (zero).
Example:
The following command
defines a rule expression to match TCP payload length of
10000:
tcp payload-length = 10000
tcp previous-state
This command allows
you to define rule expressions to match previous state of TCP connections.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
previous-state operator tcp_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
tcp_previous_state
Specifies the previous
state to match.
tcp_previous_state must
be one of the following:
- close
- close-wait
- closing
- established
- fin-wait1
- fin-wait2
- last-ack
- listen
- syn-received
- syn-sent
- time-wait
Usage:
Use this command to
define rule expressions to match a TCP previous state.
Example:
The following command
defines a rule expression to match user traffic based on previous state
time-wait:
tcp previous-state = time-wait
tcp proxy-prev-state
This command allows
you to define rule expressions to match TCP previous state on the
ingress side of the TCP proxy.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
proxy-prev-state operator previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
previous_state
Specifies the previous
state to match.
previous_state must
be one of the following:
- close
- close-wait
- closing
- established
- fin-wait1
- fin-wait2
- last-ack
- listen
- syn-received
- syn-sent
- time-wait
Usage:
If there is no TCP
proxy configured, this configuration is not applicable.
For proxy-enabled flows,
TCP state handling interprets the ingress side as the radio side and
the egress side as the Internet side of the TCP connection.
tcp state and tcp prev-state is
the state of the client stack, which would be either the state of
the subscriber's stack (if flow is not proxy enabled) or the MS
state of proxy on the egress-side (if flow is proxy-enabled).
tcp proxy-state and tcp proxy-prev-state is
the state of the embedded TCP proxy server, that is the proxy ingress-side.
So, depending on the
use case, if using tcp
state and tcp
prev-state an existing configuration may work fine regardless
of whether proxy is enabled. For other use cases, other ruledefs
may have to be created.
Both tcp state and tcp proxy-state can
be used in the same ruledef. If proxy was being used, they would
map to the egress-side and ingress-side, respectively. If proxy
was not being used, then this would not match ruledef because proxy
state would not be applicable.
Example:
The following command
defines a rule expression to match user traffic based on TCP proxy previous
state of established:
tcp proxy-prev-state = established
tcp proxy-state
This command allows
you to define rule expressions to match the TCP state on the ingress
side of the TCP proxy.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
proxy-state operator
state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
state
Specifies the state
to match.
state must
be one of the following:
- close
- close-wait
- closing
- established
- fin-wait1
- fin-wait2
- last-ack
- listen
- syn-received
- syn-sent
- time-wait
Usage:
If there is no TCP
proxy configured, this configuration is not applicable.
For proxy-enabled flows,
TCP state handling interprets the ingress side as the radio side and
the egress side as the Internet side of the TCP connection.
tcp state and tcp prev-state is
the state of the client stack, which would be either the state of
the subscriber's stack (if flow is not proxy enabled) or the MS
state of proxy on egress-side (if flow is proxy-enabled).
tcp proxy-state and tcp proxy-prev-state is
the state of the embedded TCP proxy server, that is the proxy ingress-side.
So, depending on the
use case, if using tcp
state and tcp
prev-state an existing configuration may work fine regardless
of whether proxy is enabled. For other use cases, other ruledefs
may have to be created.
Both tcp state and tcp proxy-state can
be used in the same ruledef. If proxy was being used, they would
map to the egress-side and ingress-side, respectively. If proxy
was not being used, then this would not match the ruledef because
proxy state would not be applicable.
Example:
The following command
defines a rule expression to match user traffic based on TCP proxy previous
state of established:
tcp proxy-state = established
tcp session-length
This command allows
you to define rule expressions to match the total length of a TCP
session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
session_length
Specifies the TCP
session length (in bytes) to match as be an integer from 0 through 4000000000.
Usage:
Use this command to
define rule expressions to match the total length of a TCP session.
The session-length
is calculated by adding together the TCP payload-length values of
all relevant packets.
Example:
The following command
defines a rule expression to match user traffic based on TCP session
length of
2000 bytes:
tcp session-length = 2000
tcp src-port
This command allows
you to define rule expressions to match source a port number in
TCP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
range | !range
Specifies the range
criteria:
- !range:
Not in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
- start_range must
be an integer from 1 through 65535.
- end_range must
be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port
map for the port range. port_map_name must be
an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match source a port number in TCP headers.
Example:
The following command
defines a rule expression to analyze user traffic matching TCP source
port
10:
tcp src-port = 10
tcp state
This command allows
you to define rule expressions to match current state of TCP connections.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- close
- close-wait
- closing
- established
- fin-wait1
- fin-wait2
- last-ack
- listen
- syn-received
- syn-sent
- time-wait
Usage:
Use this command to
define rule expressions to match a current state of TCP connections.
Example:
The following command
defines a rule expression to match user traffic based on current state
close:
tcp state = close
tcp uplink
This command allows
you to define rule expressions to match uplink (subscriber to network)
TCP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
uplink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to uplink TCP packets.
Example:
The following command
defines a rule expression to uplink TCP packets:
tcp uplink = TRUE
tftp any-match
This command allows
you to define rule expressions to match all Trivial File Transfer
Protocol (TFTP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tftp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Not
analyzed
- TRUE: Analyzed
Usage:
Use this command to
define rule expressions to match all TFTP packets.
Example:
The following command
defines a rule expression to match all TFTP packets:
tftp any-match = TRUE
tftp data-any-match
This command allows
you to define rule expressions to match all TFTP data packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tftp
data-any-match operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- FALSE: Not
analyzed
- TRUE: Analyzed
Usage:
Use this command to
define rule expressions to match all TFTP data packets.
Example:
The following command
defines a rule expression to match all TFTP data packets:
tftp data-any-match = TRUE
udp any-match
This command allows
you to define rule expressions to match all UDP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all UDP packets.
Example:
The following command
defines a rule expression to match all UDP packets:
udp any-match = TRUE
udp downlink
This command allows
you to define rule expressions to match downlink (network to subscriber)
UDP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
downlink operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match downlink UDP packets.
Example:
The following command
defines a rule expression to match downlink UDP packets:
udp downlink = TRUE
udp dst-port
This command allows
you to define rule expressions to match destination port number
in UDP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
!range | range
Specifies the range
criteria.
- !range:
Not in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
- start_range must
be an integer from 1 through 65535.
- end_range must
be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port
map for the port range. port_map_name must be
an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match destination port number in UDP headers.
Example:
The following command
defines a rule expression to match user traffic based on destination port
number
10:
udp dst-port = 10
udp either-port
This command allows
you to define rule expressions to match either a destination or
source port number in UDP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
!range | range
Specifies the range
criteria.
- !range:
Not in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port
map for the port range. port_map_name must be
an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match either destination or source port number
in UDP headers.
Example:
The following command
defines a rule expression to match user traffic based on match either
source/destination port number
10:
udp either-port = 10
udp payload starts-with
This command allows
you to define rule expressions to match hex/ASCII string content
in UDP payload protocol-signature field.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
payload starts-with { hex-signature hex_string | string-signature string }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
hex-signature hex_string
Specifies hexadecimal
protocol signature in payload field.
hex_string must
be a dash-delimited list of hex data of size smaller than 32.
string-signature string
Specifies protocol
signature in payload field.
string must
be an alphanumeric string of 1 through 32 characters.
Usage:
Use this command to
define rule expressions to match for Hex/ASCII string content
in UDP payload protocol-signature field.
This rule expression
is useful for detecting certain applications.
Example:
The following command
defines a UDP rule expression to analyze user traffic based on UDP protocol
signature
udp1:
udp payload starts-with
string-signature udp1
udp src-port
This command allows
you to define rule expressions to match source port number in UDP
headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
!range | range
Specifies the range
criteria.
- !range:
Not in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port
map for the port range. port_map_name must be
an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
define rule expressions to match source port number in UDP headers.
Example:
The following command
defines a rule expression to match source port number
10 in UDP
headers:
udp src-port = 10
udp uplink
This command allows
you to define rule expressions to match uplink (subscriber to network)
UDP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
uplink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match uplink UDP packets.
Example:
The following command
defines a rule expression to match uplink (from subscriber) UDP packets:
udp uplink = TRUE
wsp any-match
This command allows
you to define rule expressions to match all Wireless Session Protocol
(WSP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
specify a rule expression to match all WSP packets.
Example:
The following command
defines a rule expression to match all WSP packets:
wsp any-match = TRUE
wsp content type
This command allows
you to define rule expressions to match the content type field in
WSP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
content type [ case-sensitive ] operator content_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_type
Specifies content type
to match.
content_type must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match “content type” field
in WSP headers.
Example:
The following command
defines a rule expression to WSP content type
test:
wsp content type = test
wsp domain
This command allows
you to define rule expressions to match domain portion of the URI
for WSP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
domain [ case-sensitive ] operator domain
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
domain
Specifies the domain
to match.
domain must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the domain portion of URIs in WSP packets.
From the URL, after
http:// (if present) is removed, everything until
the first "/" is the domain.
Example:
The following command
defines a rule expression to match user traffic based on domain name
testdomain:
wsp domain = testdomain
wsp downlink
This command allows
you to define rule expressions to match downlink (network to subscriber)
WSP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
downlink operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the downlink
(from the Mobile Node direction) status to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match downlink WSP packets.
Example:
The following command
defines a rule expression to match downlink WSP packets:
wsp downlink = TRUE
wsp first-request-packet
This command allows
you to define rule expressions to match WSP first-request-packet.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
first-request-packet operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match the GET or POST request, if it
is the first WSP request for the subscriber's session.
Example:
The following command
defines a rule expression to match WSP first-request-packet:
wsp first-request-packet = TRUE
wsp host
This command allows
you to define rule expressions to match the host name header field
in WSP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
host [ case-sensitive ] operator host_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
host_name
Specifies the WSP
host name to match.
host_name must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match host name header field in WSP headers.
Example:
The following command
defines a rule expression to match host name
host1 in
WSP headers:
wsp host contains host1
wsp pdu-length
This command allows
you to define rule expressions to match WSP PDU length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
pdu-length operator pdu_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_length
Specifies the WSP
PDU length (in bytes) to match.
pdu_length must
be an integer from 1 through 65535.
Usage:
Use this command to
define rule expressions to match WSP PDU length (header + payload)
in bytes.
Example:
The following command
defines a rule expression to match user traffic based on WSP PDU length
of
10000 bytes:
wsp pdu-length = 10000
wsp pdu-type
This command allows
you to define rule expressions to match WSP PDU type in the current
packet.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
pdu-type operator
pdu_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
pdu_type
Specifies the WSP
PDU type to match.
pdu_type must
be one of the following:
- confirmed push
- connect-reply
- connect-request
- data-fragment
- delete
- disconnect
- get
- head
- options
- post
- push
- put
- redirect
- reply
- resume
- suspend
- trace
Usage:
Use this command to
define rule expressions to match WSP PDU type value in current packet.
Example:
The following command
defines a rule expression to match WSP PDU type
resume:
wsp pdu-type resume
wsp previous-state
This command allows
you to define rule expressions to match previous WSP method invocation
state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
previous-state operator wsp_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
wsp_previous_state
Specifies the previous
state to match.
wsp_previous_state must
be one of the following:
- init
- response-error
- response-ok
- waiting-for-response
Usage:
Use this command to
define rule expressions to match WSP previous state.
Example:
The following command
defines a rule expression to match WSP previous state of
response-ok:
wsp previous-state = response-ok
wsp reply code
This command allows
you to define rule expressions to match WSP reply code.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
reply code operator reply_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
reply_code
Specifies the WSP
reply code to match.
reply_code must
be an integer from 0 through 101.
Usage:
Use this command to
define rule expressions to match WSP reply code.
Example:
The following command
defines a rule expression to match WSP reply code of
50:
wsp reply code = 50
wsp session-length
This command allows
you to define rule expressions to match total length of a WSP session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
session-length operator session_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
less than equals
- =:
Equals
- >=:
greater than equals
session_length
Specifies the WSP
session length (in bytes) to match.
session_length must
be an integer from 1 through 65535.
Usage:
Use this command to
define rule expressions to match total length of WSP session.
Example:
The following command
defines a rule expression to match WSP session length of
2000 bytes:
wsp session-length = 2000
wsp session-management
This command allows
you to define rule expressions to match WSP Session Management state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
session-management { previous-state | state } operator state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
previous-state
Specifies the previous
WSP Session Management state.
state
Specifies current
WSP Session Management Finite State Machine (FSM) state.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
state
Specifies the state
to match.
For previous-state, state must
be one of the following:
- connected
- connecting
- init
- resuming
- suspended
For state, state must
be one of the following:
- close
- connected
- connecting
- init
- resuming
- suspended
Usage:
Use this command to
define rule expressions to match a WSP Session Management state.
Example:
The following command
defines a rule expression to match previous WSP Session Management
state of
connecting:
wsp session-management
previous-state = connecting
wsp state
This command allows
you to define rule expressions to match WSP Method Invocation state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- close
- response-error
- response-ok
- waiting-for-response
Usage:
Use this command to
define rule expressions to match WSP Method Invocation state.
Example:
The following command
defines a rule expression to match a WSP Method Invocation state
close:
wsp state = close
wsp status
This command has been
deprecated. See the
wsp reply-code command.
wsp tid
This command allows
you to define rule expressions to match Transaction Identifier (TID)
field for connection-less WSP.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
tid operator transaction_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
transaction_id
Specifies the transaction
identifier to match.
transaction_id must
be an integer from 0 through 255.
Usage:
Use this command to
define rule expressions to match TID field for connection-less WSP.
Example:
The following command
defines a rule expression to match a TID value of
22 for connection-less
WSP:
wsp tid = 22
wsp total-length
This command has been
deprecated. See the wsp
session-length command.
wsp transfer-encoding
This command allows
you to define rule expressions to match transfer encoding present
in WSP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
transfer-encoding [ case-sensitive ] operator transfer_encoding
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
transfer_encoding
This must be an alphanumeric
string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match transfer encoding present in WSP header.
Example:
The following command
defines a rule expression to match user traffic based on WSP transfer
encoding
7:
wsp transfer-encoding
contains 7
wsp uplink
This command allows
you to define rule expressions to match uplink (subscriber to network)
WSP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
uplink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the uplink
(to the Mobile Node direction) status to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match uplink WSP packets.
Example:
The following command
defines a rule expression to match uplink WSP packets:
wsp uplink = TRUE
wsp url
This command allows
you to define rule expressions to match WSP URL.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
url [ case-sensitive ] operator url
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
url
Specifies the URL to
match.
url must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the complete URL, including the host
portion.
Example:
The following command
defines a rule expression to match user traffic based on WSP URL
wsp://wiki.tcl.tk:
wsp url = wsp://wiki.tcl.tk
wsp user-agent
This command allows
you to define rule expressions to match user agent field in WSP
headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
user-agent [ case-sensitive ] operator user_agent
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
user_agent
Specifies the WSP
user agent to match.
user_agent must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match a user agent field in WSP headers.
Example:
The following command
defines a rule expression to match value
test in
user agent field in WSP headers:
wsp user-agent contains test
wsp x-header
This command allows
you to define rule expressions to match WSP extension-headers (x-headers).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wsp
x-header name [ case-sensitive ] operator string
no
If previously configured,
deletes the specified rule expression from the current ruledef.
name
Specifies the x-header
value as an alphanumeric string of 1 through 31 characters.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
string
Specifies the value
of the extension header as an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
configure any x-header field in WSP and parse it. The extension-header
mechanism allows additional header fields to be defined without
changing the protocol. The extension-header can be any header fields
that are not specified in the RFC standard.
Example:
The following command
defines a rule expression to analyze user traffic containing WSP extension-header
of
test_field and
value of
test_string:
wsp x-header test_field = test_string
wtp any-match
This command allows
you to define rule expressions to match all Wireless Transaction
Protocol (WTP) packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all WTP packets.
Example:
The following command
defines a rule expression to match all WTP packets:
wtp any-match = TRUE
wtp downlink
This command allows
you to define rule expressions to match downlink (network to subscriber)
WTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
downlink operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the downlink
(from the Mobile Node direction) status to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match downlink WTP packets.
Example:
The following command
defines a rule expression to match all downlink WTP packets:
wtp downlink = TRUE
wtp gtr
This command allows
you to define rule expressions to match Group Transmission (GTR)
flag in the current WTP PDU.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
gtr operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match the GTR flag (that indicates the
last packet of a packet group) in the current WTP PDU.
Example:
The following command
defines a rule expression to match WTP user traffic based on WTP GTR:
wtp gtr = TRUE
wtp pdu-length
This command allows
you to define rule expressions to match WTP PDU length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
pdu-length operator pdu_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
pdu_length
Specifies the WTP
PDU length (in bytes) to match.
pdu_length must
be an integer from 1 through 65535.
Usage:
Use this command to
define rule expressions to match WTP PDU length (header + payload)
in bytes.
Example:
The following command
defines a rule expression to match WTP PDU length of
9647 bytes:
wtp pdu-length = 9647
wtp pdu-type
This command allows
you to define rule expressions to match WTP PDU type.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
pdu-type operator
pdu_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
pdu_type
Specifies the WTP
PDU type to match.
pdu_type must
be one of the following:
- abort
- ack
- invoke
- negative-ack
- result
- segment-invoke
- segment-result
Usage:
Use this command to
define rule expressions to match WTP PDU type.
Example:
The following command
defines a rule expression to match the WTP PDU type
result:
wtp pdu-type = result
wtp previous-state
This command allows
you to define rule expressions to match previous WTP state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
previous-state operator wtp_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
wtp_previous_state
Specifies the previous
state to match.
wtp_previous_state must
be one of the following:
- ack-sent
- init
- invoke-sent
- rcvd
- result-rcvd
Usage:
Use this command to
define rule expressions to match WTP previous state.
Example:
The following command
defines a rule expression to match user traffic based on WTP previous
state of
ack-sent:
wtp previous-state = ack-sent
wtp rid
This command allows
you to define rule expressions to match Re-transmission Indicator
(RID) flag set in WTP traffic.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
rid operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match WTP RID flag.
Example:
The following command
defines a rule expression to match user traffic containing WTP RID flag:
wtp rid = TRUE
wtp state
This command allows
you to define rule expressions to match current WTP state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- ack-sent
- close
- init
- invoke-sent
- rcvd
- result-rcvd
Usage:
Use this command to
define rule expressions to match current WTP state.
Example:
The following command
defines a rule expression to match user traffic based on current WTP
state
close:
wtp state = close
wtp tid
This command allows
you to define rule expressions to match WTP Transaction Identifier
(TID).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
tid operator transaction_id
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
transaction_id
Specifies the transaction
identifier to match.
transaction_id must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match WTP TID. This expression ignores the
high order bit in the protocol that indicates the direction.
Example:
The following command
defines a rule expression to match user traffic containing WTP TID value
of
22:
wtp tid = 22
wtp transaction
class
This command allows
you to define rule expressions to match WTP Transaction Class (TCL)
state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
transaction class operator transaction_class
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
transaction_class
Specifies the WTP
TCL to match.
transaction_class must
be an integer from 0 through 2.
Usage:
Use this command to
define rule expressions to match WTP transaction class.
Example:
The following command
defines a rule expression to match WTP traffic based on WTP transaction
class
2:
wtp transaction class = 2
wtp ttr
This command allows
you to define rule expressions to match WTP Trailer Transmission
(TTR) flag.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
ttr operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match TTR flag (used to indicate the
last packet in a segmented message) in the current WTP PDU.
Example:
The following command
defines a rule expression to match WTP traffic based on the presence
of the WTP TTR flag:
wtp ttr = TRUE
wtp uplink
This command allows
you to define rule expressions to match uplink (subscriber to network)
WTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] wtp
uplink operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match uplink WTP packets.
Example:
The following command
defines a rule expression to match all uplink WTP packets:
wtp uplink = TRUE
www any-match
This command allows
you to define rule expressions to match all WWW packets. It is true
for HTTP, WAP1.x, and WAP2.0 protocols.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
any-match operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match all WWW packets. This expression is
true for HTTP, WAP1.x, and WAP2.0 protocols
Example:
The following command
defines a rule expression to match all WWW packets:
www any-match = TRUE
www content type
This command allows
you to define rule expressions to match the Content-Type field of
HTTP/WSP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
content type [ case-sensitive ] operator content_type
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
content_type
Specifies the value
to match.
content_type must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the “content type” field
of HTTP/WSP header.
Example:
The following command
defines a rule expression to match the WWW content type
Accept:
www content type = Accept
www domain
This command allows
you to define rule expressions to match the domain portion of URIs
in WSP/HTTP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
domain [ case-sensitive ] operator domain
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
domain
Specifies the domain
to match.
domain must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
define rule expressions to match the domain portion of URIs in WSP/HTTP
packets.
From the URL, after
http:// (if present) is removed, everything until
the first "/" is the domain.
Example:
The following command
defines a rule expression to match user traffic based on domain name
testdomain:
www domain = testdomain
www downlink
This command allows
you to define rule expressions to match downlink (network to subscriber)
HTTP/WSP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
downlink operator
condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match downlink HTTP/WSP packets.
Example:
The following command
defines a rule expression to match all downlink WWW packets:
www downlink = TRUE
www first-request-packet
This command allows
you to define rule expressions to match the GET or POST request,
if it is the first WSP/HTTP request for the subscriber's
session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
first-request-packet operator condition
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
Usage:
Use this command to
define rule expressions to match the GET or POST request, if it
is the first WSP/HTTP request for the subscriber's session.
Example:
The following command
defines a rule expression to match user traffic based on the WWW first-request-packet:
www first-request-packet = TRUE
www header-length
This command allows
you to define rule expressions to match WWW packet header length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
header-length operator header_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
header_length
Specifies the WWW
packet header length (in bytes) to match, header_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match WWW packet header length.
Example:
The following command
defines a rule expression to match user traffic based on WWW packet
header length of
10000 bytes:
www header-length = 10000
www host
This command allows
you to define rule expressions to match the “host name” header
field present in HTTP/WSP headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
host [ case-sensitive ] operator host_name
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
host_name
Specifies the WWW
host name to match.
host_name must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the host name header field present in
HTTP/WSP headers.
Example:
The following command
defines a rule expression to match user traffic based on WWW host name
host1:
www host = host1
www payload-length
This command allows
you to define rule expressions to match WWW payload length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
payload-length operator payload_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
payload_length
Specifies the payload
length (in bytes) to match.
payload_length must
be an integer from 1 through 4000000000.
Usage:
Use this command to
define rule expressions to match WWW payload length.
Example:
The following command
defines a rule expression to match user traffic based on WWW payload
length of
10000:
www payload-length = 10000
www pdu-length
This command allows
you to define rule expressions to match WWW PDU length.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
pdu-length operator pdu_length
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
pdu_length
Specifies the WWW
PDU length (in bytes) to match.
pdu_length must
be an integer from 0 through 65535.
Usage:
Use this command to
define rule expressions to match WWW PDU length (header + payload)
in bytes.
Example:
The following command
defines a rule expression to match user traffic based on WWW PDU
length of
9767 bytes:
www pdu-length = 9767
www previous-state
This command allows
you to define rule expressions to match previous HTTP/WSP(HTTP)
state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
previous-state operator www_previous_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
www_previous_state
Specifies the previous
state to match.
www_previous_state must
be one of the following:
- init
- response-error
- response-ok
- waiting-for-response
Usage:
Use this command to
define rule expressions to match a previous HTTP/WSP(HTTP) state.
Example:
The following command
defines a rule expression to match user traffic based on WWW previous
state
init:
www previous-state = init
www reply code
This command allows
you to define rule expressions to match WWW reply code arguments.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
reply code operator reply_code
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Lesser than or equals
- =:
Equals
- >=:
Greater than or equals
reply_code
Specifies the reply
code to match.
reply_code must
be an integer from 100 through 599.
Usage:
Use this command to
define rule expressions to match HTTP 1.1 status code, or WSP status
code that has been remapped to the corresponding HTTP value.
WSP status codes 0 – 101
are automatically remapped to the HTTP status code values, as defined
by Table 36 WAP-230-WSP Version 5.
Example:
The following command
defines a rule expression to analyze WWW user traffic based on reply
code of
125:
www reply code = 125
www state
This command allows
you to define rule expressions to match current HTTP/WSP(HTTP)
state.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
state operator current_state
no
If previously configured,
deletes the specified rule expression from the current ruledef.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
current_state
Specifies the current
state to match.
current_state must
be one of the following:
- close
- response-error
- response-ok
- waiting-for-response
Usage:
Use this command to
define rule expressions to match current HTTP/WSP state.
Example:
The following command
defines a rule expression to match user traffic based on the current WWW
state
close:
www state = close
www transfer-encoding
This command allows
you to define rule expressions to match the transfer encoding field
present in HTTP/WSP(HTTP) headers.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
transfer-encoding [ case-sensitive ] operator transfer_encoding
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
transfer_encoding
Specifies the WWW
transfer encoding to match.
transfer_encoding must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the “transfer encoding” field
present in HTTP/WSP(HTTP) headers.
Example:
The following command
defines a rule expression to match user traffic based on the WWW transfer
encoding
user1:
www transfer-encoding = user1
www url
This command allows
you to define rule expressions to match URL for any Web protocol
analyzer—HTTP, WAP1.X, WAP2.0.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] www
url [ case-sensitive ] operator url
no
If previously configured,
deletes the specified rule expression from the current ruledef.
case-sensitive
Specifies that the
rule expression be case-sensitive. By default, rule expressions
are not case-sensitive.
operator
Specifies how to match.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
url
Specifies the URL to
match.
url must
be an alphanumeric string of 1 through 127 characters and may contain
punctuation characters.
Usage:
Use this command to
define rule expressions to match the URL for any Web protocol analyzer—HTTP,
WAP1.X, WAP2.0.
Example:
The following command
defines a rule expression to match user traffic based on WWW URL
www.abc.com:
www url = www.abc.com