ACS Ruledef Configuration Mode Commands

The ACS Ruledef Configuration Mode is used to create and manage rule expressions in individual rule definitions (ruledefs).

IMPORTANT:

Up to 10 rule expressions can be configured in one ruledef.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

bearer 3gpp apn

This command allows you to define rule expressions to match Access Point Name (APN) of the bearer flow.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp apn [ case-sensitive ] operator apn_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
apn_name

Specifies name of the APN to match.

apn_name must be an alphanumeric string of 1 through 62 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match an APN in the bearer flow.


Example:
The following command defines a rule expression to match user traffic based on APN named apn12:
bearer 3gpp = apn12 
bearer 3gpp imsi

This command allows you to define rule expressions to match International Mobile Station Identification (IMSI) number in the bearer flow.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp imsi { operator imsi | { !range | range } imsi-pool imsi_pool_name }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
imsi

Specifies the IMSI number to match.

!range | range

!range | range: Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of
imsi-pool imsi_pool_name

Specifies the IMSI pool.

imsi_pool_name must be the name of an IMSI pool, and must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match an IMSI.


Example:
The following command defines a rule expression to analyze user traffic for the IMSI number 9198838330912:
bearer 3gpp imsi = 9198838330912
bearer 3gpp rat-type

This command allows you to define rule expressions to match Radio Access Technology (RAT) in the bearer flow.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp rat-type operator rat_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
rat_type

Specifies the RAT type to match.

rat_type must be one of the following:

  • geran: GSM EDGE Radio Access Network type
  • utran: UMTS Terrestrial Radio Access Network type
  • wlan: Wireless LAN type

Usage:

Use this command to define rule expressions to match a RAT type.


Example:
The following command defines a rule expression to match user traffic based on RAT type wlan:
bearer 3gpp rat-type = wlan
bearer 3gpp sgsn-address

This command allows you to define rule expressions to match SGSN address associated in the bearer flow.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp sgsn-address operator ipv4/ipv6_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
ipv4/ipv6_address

Specifies the SGSN IP address to match.

ipv4/ipv6_address must be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Use this command to define rule expressions to match IP address of an SGSN node. This command replaces the bearer sgsn-address command.


Example:
The following command defines a rule expression to analyze user traffic for an SGSN node with IP address 10.1.1.1:
bearer 3gpp sgsn-address = 10.1.1.1
bearer 3gpp2 bsid

This command allows you to define rule expressions to match Base Station Identifier (BSID) associated with the bearer.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp2 bsid [ case-sensitive ] [ use-group-of-objects ] operator string
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

use-group-of-objects

Specifies using a group-of-objects as a qualifier to match this rule.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
string

Specifies the name of a group-of-objects to match.

If the use-group-of-objects keyword is not included in the command, string specifies name of the matching 3GPP2 service Base Station ID (BSID) in bearer flow.

If the use-group-of-objects keyword is included in the command, string must be the name of the group-of-objects to use. In this case, it is checked if the rule is satisfied for either one or none of the objects in the group-of-objects depending upon the operator used. For example, if the operator is contains, the expression would be true if any of the objects in the specified object group is contained in the BSID. If the operator is !contains, then the expression would be true if none of the objects in the object group is contained in the BSID.

string must be an alphanumeric string of 1 through 16 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match a 3GPP2 Base Station Identifier (BSID).


Example:
The following command defines a rule expression to analyze user traffic for 3GPP2 BSID named bs001_xyz:
bearer 3gpp2 bsid = bs001_xyz
bearer 3gpp2 service-option

This command allows you to define rule expressions to match 3GPP2 service with service options associated with the bearer.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp2 service-option operator service_option_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
service_option_code

Specifies the 3GPP2 service option code to match.

service_option_code must be an integer from 0 through 1000.


Usage:

Use this command to define rule expressions to match a 3GPP2 service’s service option code.


Example:
The following command defines a rule expression to analyze user traffic for a 3GPP2 service’s service option matching 1034:
bearer 3gpp2 service-option = 1034
bearer apn

This command allows you to define rule expressions to match the APN used for the subscriber session.

IMPORTANT:

In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp apn command.

Platform:

ASR 5000

Product:

GGSN


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
apn [ case-sensitive ] operator apn_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
apn_name

Specifies the APN to match.

apn_name must be the name of an APN, and must be an alphanumeric string of 1 through 62 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match APN used for subscriber session.


Example:
The following command defines a rule expression to match user traffic based on APN name apn12:
bearer apn = apn12
bearer imsi

This command allows you to define rule expressions to match IMSI number of the subscriber.

IMPORTANT:

In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp imsi command.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
imsi { operator imsi | { !range | range } imsi-pool imsi_pool_name }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
imsi

Specifies the IMSI number to match.

!range | range

Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of
imsi-pool imsi_pool_name

Specifies an IMSI pool.

imsi_pool_name must be the name of an IMSI pool, and must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match IMSI number of subscriber.


Example:
The following command defines a rule expression to match user traffic based on IMSI number 9198838330912:
bearer imsi = 9198838330912
bearer rat-type

This command allows you to define rule expressions to match Radio Access Technology (RAT) in the bearer flow.

IMPORTANT:

In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp rat-type command.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
rat-type operator
rat_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
rat_type

Specifies the RAT type to match.

rat_type must be one of the following:

  • geran: GSM EDGE Radio Access Network type
  • utran: UMTS Terrestrial Radio Access Network type
  • wlan: Wireless LAN type

Usage:

Use this command to define rule expressions to match a RAT type.


Example:
The following command defines a rule expression to match user traffic based on RAT type wlan:
bearer rat-type = wlan
bearer sgsn-address

This command allows you to define rule expressions to match IP address of the SGSN (in acting as GGSN) / P-GW (if acting as S-GW) in the bearer flow.

IMPORTANT:

In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp sgsn-address command.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
sgsn-address operator
ipv4/ipv6_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
ipv4/ipv6_address

Specifies the SGSN IP address to match.

ipv4/ipv6_address must be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Use this command to define rule expressions to match IP address of the SGSN (in acting as GGSN) / P-GW (if acting as S-GW).


Example:
The following command defines a rule expression to match user traffic based on SGSN node IP address 10.1.1.1:
bearer sgsn-address = 10.1.1.1
bearer traffic-group

This command allows you to define rule expressions to match traffic group number associated with the subscriber session.

IMPORTANT:

This functionality is available only if the Content Access Control license has been installed on the chassis.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
traffic-group operator group_number
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
group_number

Specifies the traffic group number to match.

group_number must be an integer from 1 through 255.


Usage:

Use this command to define rule expressions to match traffic group of the subscriber session. See the fa-ha-spi command in the HA Service Configuration Mode Commands chapter for more information.


Example:
The following command defines a rule expression to analyze all traffic groups assigned a value greater or equal to 23:
bearer traffic-group
>= 23
cca quota-state

Specifies the quota state of a subscriber for prepaid credit control service. In release 12.0 and later, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to the ACS Rulebase Configuration Mode Commands chapter in this guide.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] cca
quota-state operator { limit-reached | lower-bandwidth }
no

Disables the configured credit control quota state.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
limit-reached

This state matches an affirmative end-of-quota indication for the current ruledef from the prepay server.

lower-bandwidth

This state matches the lower-bandwidth quota state of a rating group.


Usage:

This command supports URL redirection and creates a rule for subscriber prepaid quota state as exhausted or not exhausted.

If a subscriber has exhausted the quota but has not exhausted the qualified period, a different charging-action can be applied via the cca quota-state command.


Example:
The following command defines a rule expression to match user traffic based on the Credit-Control Application (CCA) quota state limit-reached:
cca quota-state = limit-reached
cca redirect-indicator

This command allows you to define rule expressions to match redirect-indicator state of the Credit Control Application. In release 12.0 and later, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to ACS Rulebase Configuration Mode Commands chapter in this reference.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] cca
redirect-indicator operator redirect_indicator
no

Disables the configured CCA redirect-indicator in the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
redirect_indicator

Specifies the redirect indicator for the AVP used for redirection of the URL in the RADIUS dictionary for prepaid service. It must be an integer from 0 through 4294967295.

IMPORTANT:

For the RADIUS server configured with different values to return for this AVP, the ACS requires ruledefs to match the different values for system to associate with charging actions that have different redirect URLs configured.


Usage:

This command is used to configure an AVP to be used from a dictionary that defines the AVP for the redirect-indicator.

For example, a RADIUS dictionary specifies the 3gpp2-release-indicator to be used for the redirect indicator when RADIUS is used as the Credit-Control Application. In this case, the value for 3gpp2-release-indicator that is returned by the RADIUS prepaid server for a quota request for a given content ID is retained by system and associated with the flow.


Example:
The following command defines a rule expression to match redirect indicator 1234 for the URL Redirect AVP:
cca redirect-indicator = 1234
copy-packet-to-log

This command allows you to print every packet that hits the current ruledef to a log statement.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] copy-packet-to-log
no

Disables the copy-packet-to-log feature.

copy-packet-to-log

Specifies to print packets hitting the current ruledef to a log.


Usage:

Use this command to print every packet that hits a ruledef to a log statement. This facilitates debugging.

dns answer-name

This command allows you to define rule expressions to match answer name in the answer section of DNS response messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns
answer-name [ case-sensitive ] operator value
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
value

Specifies the value to match.

value must be an alphanumeric string of 1 through 255 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match an answer name from the answer section of DNS response messages.

The answer section of a DNS response may contain more than one answer. A maximum of seven answers from the response packet are parsed. For the equality expressions (=, contains, starts-with, ends-with) a match is sought from any of the answers in the packet (up to the first seven answers). For the inequality expressions (!=, !contains, !starts-with, !ends-with), a non-match is sought from all answers (up to the first seven answers).


Example:
The following command defines a rule expression to match user traffic for answer name test:
dns answer-name = test
dns any-match

This command allows you to define rule expressions to match all DNS packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define an any-match rule expression to match all DNS packets.


Example:
The following command defines an any-match rule expression to match all DNS packets:
dns any-match = TRUE
dns previous-state

This command allows you to define rule expressions to match previous state of the DNS FSM.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns
previous-state operator dns_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
dns_previous_state

Specifies the previous state to match.

dns_previous_state must be one of the following:

  • dns-timeout
  • init
  • req-sent
  • resp-error
  • resp-success

Usage:

Use this command to define rule expressions to match previous state of DNS FSM.


Example:
The following command defines a rule expression to match the DNS FSM previous state req-sent:
dns previous-state = req-sent
dns query-name

This command allows you to define rule expressions to match query name in DNS request messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns
query-name [ case-sensitive ] operator query_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
query_name

Specifies the query name to match.

query_name must be an alphanumeric string of 1 through 255 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match query name in DNS request messages.


Example:
The following command defines a rule expression to match DNS query name test:
dns query-name = test
dns return-code

This command allows you to define rule expressions to match response code in DNS response messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns
return-code operator return_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
return_code

Specifies the response code to match.

return_code must be one of the following:

  • format-error
  • name-error
  • no-error
  • not-implemented
  • refused
  • server-failure

Usage:

Use this command to define rule expressions to match response code in DNS response messages.


Example:
The following command defines a rule expression to match a DNS response code refused:
dns return-code = refused
dns state

This command allows you to define rule expressions to match current state of DNS FSM.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns
state operator dns_current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
dns_current_state

Specifies the current state to match.

dns_current_state must be one of the following:

  • dns-timeout
  • init
  • req-sent
  • resp-error
  • resp-success

Usage:

Use this command to define rule expressions to match DNS FSM current state.


Example:
The following command defines a rule expression to match DNS FSM current state of req-sent:
dns state = req-sent
dns tid

This command allows you to define rule expressions to match Transaction Identifier (TID) field in DNS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] dns
tid operator tid_value
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
tid_value

Specifies the DNS transaction identifier to match.

tid_value must be an integer from 1 through 65535.


Usage:

Use this command to define rule expressions to match a TID field of DNS messages.


Example:
The following command defines a rule expression to match DNS TID field value of test:
dns tid = test
email

This command allows you to define rule expressions to match generic e-mail message parameters. These expressions will be applicable for IMAP, MMS, POP3, and SMTP protocols.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] email { cc | content { class | type } | from | size | subject | to } [ case-sensitive ] operator value
no

If previously configured, deletes the specified rule expression from the current ruledef.

cc

Specifies to match the “cc” field of standard e-mail message.

content { class | type }

Specifies to match the “content-type” or “content-class” field of standard e-mail message.

from

Specifies to match the “from” field of standard e-mail message.

subject

Specifies to match the “subject” field of standard e-mail message.

to

Specifies to match the “to” field of standard e-mail message.

size

Specifies to match with the total size of e-mail message specified in bytes.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following except for size:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with

operator must be one of the following for size:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
value

Specifies the value to match.

value must be an alphanumeric string and can contain punctuation characters.

  • cc: A string of 1 through 512 characters
  • content: A string of 1 through 128 characters
  • from: A string of 1 through 64 characters
  • size: A range of bytes from 1 through 4000000000 bytes
  • subject: A string of 1 through 128 characters
  • to: A string of 1 through 512 characters

Usage:

Use this command to define rule expressions to match different fields/parameters within standard e-mail messages.


Example:
The following command defines a rule expression to analyze user traffic for the occurrence of triangle in the “cc” field of e-mail messages:
email cc contains triangle@xyz.com
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

file-transfer any-match

This command allows you to define rule expressions to match all file-transfer packets. This expression applies to file transfers that use the FTP or HTTP protocols.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all file-transfer packets. This expression applies to file transfers that use the FTP or HTTP protocols.


Example:
The following command defines a rule expression to match all file-transfer packets:
file-transfer any-match = TRUE
file-transfer chunk-number

This command allows you to define rule expressions to match the total number of chunks in an HTTP file as determined by the File Transfer analyzer.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
chunk-number operator chunks_number
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
chunks_number

Specifies the number of chunks to match.

chunks_number must be an integer from 1 through 65535.


Usage:

Use this command to define rule expressions to match the total number of chunks in an HTTP file as determined by the File Transfer analyzer.


Example:
The following command defines a rule expression to match 150 number of chunks:
file-transfer chunk-number = 150
file-transfer current-chunk-length

This command allows you to define rule expressions to match the length of an HTTP chunk currently in the File Transfer analyzer.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
current-chunk-length operator current_chunk_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
current_chunk_length

Specifies the current chunk length value (in bytes) to match.

current_chunk_length must be an integer from 1 through 40000000.


Usage:

Use this command to define rule expressions to match the length of an HTTP chunk currently in the File Transfer analyzer.


Example:
The following command defines a rule expression to match length of current HTTP chunk as 1500000 bytes:
file-transfer current-chunk-length = 1500000
file-transfer declared-chunk-length

This command allows you to define rule expressions to match the declared length of an HTTP chunk currently in the File Transfer analyzer.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
declared-chunk-length operator declared_chunk_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
declared_chunk_length

Specifies the declared chunk length value (in bytes) to match.

declared_chunk_length must be an integer from 1 through 40000000.


Usage:

Use this command to define rule expressions to match the declared length of an HTTP chunk currently in the File Transfer analyzer.


Example:
The following command defines a rule expression to match declared length of the current HTTP chunk as 2500000 bytes:
file-transfer declared-chunk-length = 2500000
file-transfer declared-file-size

This command allows you to define rule expressions to match the declared file size by the File Transfer analyzer decoding the FTP handshake.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
declared-file-size operator declared_file_size
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
declared_file_size

Specifies the declared file size (in bytes) to match.

declared_file_size must be an integer from 1 through 40000000.


Usage:

Use this command to define rule expressions to match the declared file size by the File Transfer analyzer decoding the FTP handshake.


Example:
The following command defines a rule expression to match declared file size as 2500000 bytes:
file-transfer declared-file-size = 2500000
file-transfer filename

This command allows you to define rule expressions to match file name.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
filename [ case-sensitive ] operator file_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
file_name

Specifies the file name to match.

file_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match file name in file-transfer.


Example:
The following command defines a rule expression to match file name containing star1:
file-transfer filename
contains star1
file-transfer previous-state

This command allows you to define rule expressions to match previous state of File Transfer FSM.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
previous-state operator file_transfer_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
file_transfer_previous_state

Specifies the previous state to match.

file_transfer_previous_state must be one of the following:

  • init: Specifies previous state as initialization.
  • request-sent: Specifies previous state as request sent.
  • transfer-error: Specifies previous state as transfer error.
  • transfer-ok: Specifies previous state as transfer ok.

Usage:

Use this command to define rule expressions to match previous state of File Transfer FSM.


Example:
The following command defines a rule expression to match previous state of init:
file-transfer previous-state = init
file-transfer state

This command allows you to define rule expressions to match the current state of File Transfer FSM.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
state operator file_transfer_current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
file_transfer_current_state

Specifies the current state to match.

file_transfer_current_state must be one of the following

  • init: Specifies current state as initialization.
  • request-sent: Specifies current state as request sent.
  • transfer-error: Specifies current state as transfer error.
  • transfer-ok: Specifies current state as transfer ok.

Usage:

Use this command to define rule expressions to match current state of File Transfer FSM.

The following table describes details of File Transfer FSM states with event:

Event init request-sent transfer-ok transfer-err

FTP “RETR” command or HTTP “GET” request received with chunk encoding

request-sent

Discarded

Discarded

Discarded

HTTP 2xx response received

transfer-ok

Discarded

Discarded

Discarded

HTTP 4xx or HTTP 5xx response received

transfer-error

Discarded

Discarded

Discarded

FTP reply received with reply status as file-transfer complete/successful

Discarded

transfer-ok

Discarded

Discarded

FTP reply received with reply status as file-transfer unsuccessful

Discarded

transfer-error

Discarded

Discarded




Example:
The following command defines a rule expression to match file-transfer current state of init:
file-transfer state = init
file-transfer transferred-file-size

This command allows you to define rule expressions to match the size of a file that has been transferred so far, as detected by the File Transfer analyzer.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] file-transfer
transferred-file-size operator transferred_file_size
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
transferred_file_size

Specifies the transferred file size (in bytes) to match.

transferred_file_size must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match the size of the file that has been transferred so far, as detected by the File Transfer analyzer.


Example:
The following command defines a rule expression to match file transferred size of 2500 bytes:
file-transfer transferred-file-size = 2500
ftp any-match

This command allows you to define rule expressions to match all FTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define a rule expression to match all FTP packets.


Example:
The following command defines a rule expression to match all FTP packets:
ftp any-match = TRUE
ftp client-ip-address

This command allows you to define rule expressions to match IP address of the FTP client.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
client-ip-address operator ipv4/ipv6_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
ipipv4/ipv6_address

Specifies the FTP client IP address to match.

ipv4/ipv6_address must be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Use this command to define rule expressions to match an FTP client IP address, which will be either the IP source address or the IP destination address, depending on the direction.


Example:
The following command defines a rule expression to match client IP address 10.1.1.1:
ftp client-ip-address = 10.1.1.1
ftp client-port

This command allows you to define rule expressions to match port number of the FTP client.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
client-port operator port_number
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the client port number to match.

port_number must be an integer from 1 through 65535.


Usage:

Use this command to define rule expressions to match port number of the FTP client, which will be either the TCP source port or the TCP destination port, depending on the direction.


Example:
The following command defines a rule expression to match FTP client port number 10:
ftp client-port = 10
ftp command args

This command allows you to define rule expressions to match arguments within an FTP command.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
command args [ case-sensitive ] operator argument
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
argument

Specifies the argument to match.

argument must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match arguments within an FTP command.


Example:
The following command defines a rule expression to match argument ascii within an FTP command:
ftp command args = ascii
ftp command id

This command allows you to define rule expressions to match FTP command ID.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
command id operator command_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
command_id

Specifies the command identifier to match.

In 8.3 and earlier releases, command_id must be an integer from 0 through 15.

In 9.0 and later releases, command_id must be an integer from 0 through 18.


Usage:

Use this command to define rule expressions to match FTP command ID.


Example:
The following command defines a rule expression to match the FTP command ID 10:
ftp command id = 10
ftp command name

This command allows you to define rule expressions to match FTP command name.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
command name operator command_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
command_name

Specifies the command name to match.

command_name must be one of the following:

  • abor: Abort command
  • cwd: Current working directory command
  • eprt: eprt command
  • epsv: epsv command
  • list: List command
  • mode: Transfer mode command
  • pass: Password command
  • pasv: Passive command
  • port: Port command
  • quit: Quit command
  • rest: Restore command
  • retr: Retry command
  • stor: Store command
  • stru: File structure command
  • syst: System command
  • type: Type command
  • user: User command

Usage:

Use this command to define rule expressions to match FTP command name.


Example:
The following command defines a rule expression to match FTP command name list:
ftp command name = list
ftp connection-type

This command allows you to define rule expressions to match FTP connection type.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
connection-type operator connection_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
connection_type

Specifies the connection type to match.

connection_type must be one of the following:

  • 0: Unknown
  • 1: Control connection
  • 2: Data connection

Usage:

Use this command to define rule expressions to match an FTP connection type.


Example:
The following command defines a rule expression to match FTP connection type 1:
ftp connection-type = 1
ftp data-any-match

This command allows you to define rule expressions to match all FTP data packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
data-any-match operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all FTP data packets.


Example:
The following command defines a rule expression to match all FTP data packets:
ftp data-any-match = TRUE
ftp filename

This command allows you to define rule expressions to match FTP file name.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
filename [ case-sensitive ] operator file_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
file_name

Specifies the file name to match.

file_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match an FTP file name.


Example:
The following command defines a rule expression to match a file named testtransfer:
ftp filename = testtransfer
ftp pdu-length

This command allows you to define rule expressions to match the length of a current FTP packet.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
pdu-length operator pdu_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_length

Specifies the FTP PDU length (in bytes) to match.

pdu_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match the length of a current FTP packet, that is, FTP PDU length (FTP header + FTP payload).


Example:
The following command defines a rule expression to match an FTP PDU length of 9647 bytes:
ftp pdu-length = 9647
ftp pdu-type

This command allows you to define rule expressions to match FTP Protocol Data Unit (PDU) type.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
pdu-type operator
pdu_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_type

Specifies the PDU type to match.

pdu_type must be one of the following:

  • 0: Unknown
  • 1: Command
  • 2: Reply

Usage:

Use this command to define rule expressions to match a PDU type of FTP packet.


Example:
The following command defines a rule expression to match FTP PDU type 1:
ftp pdu-type = 1
ftp previous-state

This command allows you to define rule expressions to match previous state of FTP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
previous-state operator ftp_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
ftp_previous_state

Specifies the previous state to match.

ftp_previous_state must be one of the following:

  • command-sent
  • init
  • response-error
  • response-ok

Usage:

Use this command to define rule expressions to match a previous state of FTP session.


Example:
The following command defines a rule expression to match previous FTP state init:
ftp previous-state = init
ftp reply code

This command allows you to define rule expressions to match FTP reply code.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
reply code operator reply_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
reply_code

Specifies the FTP reply code to match.

reply_code must be an integer from 100 through 599.


Usage:

Use this command to define rule expressions to match an FTP reply code.


Example:
The following command defines a rule expression to match FTP reply code 150:
ftp reply code = 150
ftp server-ip-address

This command allows you to define rule expressions to match FTP server IP address.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
server-ip-address operator ipv4/ipv6_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
ipv4/ipv6_address

Specifies IP address of the server to match

ipv4/ipv6_address must be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Use this command to define rule expressions to match an FTP server IP address, which will be either the IP source address or the IP destination address, depending on the direction.


Example:
The following command defines a rule expression to match the FTP server IP address 10.1.1.1:
ftp server-ip-address = 10.1.1.1
ftp server-port

This command allows you to define rule expressions to match FTP server port number.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
server-port operator
port
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port

Specifies the FTP server port number to match.

port must be an integer from 1 through 65535.


Usage:

Use this command to define rule expressions to match an FTP server port number, which will be either the TCP source port or the TCP destination port, depending on the direction.


Example:
The following command defines a rule expression to analyze user traffic for FTP server port 21:
ftp server-port = 21
ftp session-length

This command allows you to define rule expressions to match the total number of bytes sent on an FTP control connection.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
session-length operator session_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the FTP session length (in bytes) to match.

session_length must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match the total number of bytes sent on an FTP control connection.


Example:
The following command defines a rule expression to match FTP session length of 40000 bytes:
ftp session-length = 40000
ftp state

This command allows you to define rule expressions to match the current state of an FTP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
state operator ftp_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
ftp_state

Specifies the FTP state to match.

ftp_state must be one of the following:

  • close: FTP transmissions that are in closed state.
  • command-sent: FTP transmissions that are in command-sent state.
  • response-error: FTP transmissions that are in response-error state.
  • response-ok: FTP transmissions that are in response-ok state.

Usage:

Use this command to define rule expressions to match the current state of an FTP session.


Example:
The following command defines a rule expression to match FTP current state close:
ftp state = close
ftp url

This command allows you to define rule expressions to match the FTP URL/path of a file being transferred.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
url [ case-sensitive ] operator url
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
url

Specifies the URL to match.

url must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the FTP URL/path of a file being transferred.


Example:
The following command defines a rule expression to match the URL ftp://rfc.ietf.org/rfc/rfc1738.txt:
ftp url = ftp://rfc.ietf.org/rfc/rfc1738.txt
ftp user

This command allows you to define rule expressions to match the user name FTP command packet.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ftp
user [ case-sensitive ] operator ftp_user
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
ftp_user

Specifies the FTP user name to match.

ftp_user must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match a user name FTP command.


Example:
The following command defines a rule expression to match FTP user name user1:
ftp user = user1
http any-match

This command allows you to define rule expressions to match all HTTP and HTTPS Connect Method packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all HTTP packets.


Example:
The following command defines a rule expression to match all HTTP packets:
http any-match = TRUE
http attribute-in-data

This command allows you to define rule expressions to match any arbitrary attribute in the payload following the HTTP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
attribute-in-data attribute [ case-sensitive ] operator value
no

If previously configured, deletes the specified rule expression from the current ruledef.

attribute

attribute must be an alphanumeric string of 1 through 31 characters.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
value

Specifies the value as an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match arbitrary attribute in the payload following the HTTP headers.

http attribute-in-url

This command allows you to define rule expressions to match arbitrary attribute in the combined Host+URI HTTP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
attribute-in-url attribute [ case-sensitive ] operator value
no

If previously configured, deletes the specified rule expression from the current ruledef.

attribute

attribute must be an alphanumeric string of 1 through 31 characters.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
value

Specifies the value as an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to configure rule expression to match an arbitrary attribute in the combined Host+URI HTTP headers.

http content disposition

This command allows you to define rule expressions to match optional content-disposition field of HTTP entity header.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
content disposition [ case-sensitive ] operator content_disposition
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_disposition

This field offers a mechanism for the sender to transmit presentational information to the recipient, allowing each component of a message to be tagged with an indication of its desired presentation semantics.

content_disposition must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match optional content-disposition field of HTTP entity header. This feature supports RFC 2616 for HTTP and RFC 1806 for Content Disposition.


Example:
The following command defines a rule expression to match content disposition successful:
http content disposition = successful
http content length

This command allows you to define rule expressions to match the value in HTTP Content-Length entity-header field.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
content length operator content_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
content_length

Specifies the HTTP body length (in bytes) to match.

content_length must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match value in HTTP Content-Length entity-header field.


Example:
The following command defines a rule expression to match value of 10000 bytes in HTTP Content-Length entity-header field:
http content length = 10000
http content type

This command allows you to define rule expressions to match value in HTTP Content-Type entity-header field.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
content type [ case-sensitive ] operator content_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_type

Specifies the content type to match.

content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match value in HTTP Content-Type entity-header field.


Example:
The following command defines a rule expression to match abc100 in HTTP Content-Type entity-header field:
http content type = abc100
http domain

This command allows you to define rule expressions to match the domain portion of URIs in HTTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
domain [ case-sensitive ] operator domain
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
domain

Specifies the domain to match.

domain must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the domain portion of URIs in HTTP packets.

From the URL, after http:// (if present) is removed, everything until the first "/" is the domain.


Example:
The following command defines a rule expression to match user traffic based on domain name testdomain:
http domain = testdomain
http error

This command allows you to define rule expressions to match for errors in HTTP packets (for example, invalid HTTP header) and errors in the HTTP analyzer FSM (Finite State Machine) while parsing HTTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
error operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match for errors in HTTP packets and other errors in HTTP analyzer FSM while parsing HTTP packets. For example, FSM error, invalid header field values, ACS memory and buffer limit, packet related errors, and so on.

ACS supports pipelining of up to 32 HTTP requests on the same TCP connection. Pipeline overflow requests are not analyzed. Such overflow requests are treated as HTTP error. The billing system, based on this information, decides to charge or not charge, or refund the subscriber accordingly.


Example:
The following command defines a rule expression to match user traffic based on HTTP error status of TRUE:
http error = TRUE
http first-request-packet

This command allows you to define rule expressions to match the GET or POST request, if it is the first HTTP request for the subscriber's session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
first-request-packet operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match the GET or POST request, if it is the first HTTP request for the subscriber's session.

This expression can be connected with a charging action, so the subscriber is redirected to a splash page for the first Web access attempted.


Example:
The following command defines a rule expression to match first-request-packet:
http first-request-packet = TRUE
http header-length

This command allows you to define rule expressions to match HTTP header length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
header-length operator header_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
header_length

Specifies the HTTP header length (in bytes) to match.

header_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match the length of an HTTP header.


Example:
The following command defines a rule expression to match an HTTP header length of 8000:
http header-length = 8000
http host

This command allows you to define rule expressions to match value in HTTP Host request-header field.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
host [ case-sensitive ] operator host_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
host_name

Specifies the host name to match.

host_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match value in HTTP Host request-header field.


Example:
The following command defines a rule expression to match host1 in HTTP Host request-header field:
http host = host1
http payload-length

This command allows you to define rule expressions to match HTTP payload length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
payload-length operator payload_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
payload_length

Specifies the HTTP payload (data) length (in bytes) to match.

payload_length must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match HTTP payload (data) length (pdu-length - header-length).


Example:
The following command defines a rule expression to match HTTP payload length of 100000 bytes:
http payload-length = 100000
http pdu-length

This command allows you to define rule expressions to match the total length of a single HTTP packet.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
pdu-length operator pdu_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_length

Specifies the HTTP PDU length (in bytes) to match.

pdu_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match the total length of a single HTTP packet. This will also match packets with partial HTTP message (due to fragmentation).


Example:
The following command defines a rule expression to match an HTTP PDU length of 10000 bytes:
http pdu-length = 10000
http previous-state

This command allows you to define rule expressions to match previous state of HTTP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
previous-state operator http_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
http_previous_state

Specifies the previous state to match.

http_previous_state must be one of the following:

  • init: Initialized state
  • response-error: Response error state
  • response-ok: Response ok state
  • waiting-for-response: Waiting for response state

Usage:

Use this command to define rule expressions to match a previous state of HTTP sessions.


Example:
The following command defines a rule expression to match HTTP previous state response-ok:
http previous-state = response-ok
http referer

This command allows you to define rule expressions to match the value in the HTTP Referer request-header field.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
referer [ case-sensitive ] operator referer_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
referer_name

Specifies the HTTP referer name to match.

referer_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match value in HTTP Referer request-header field.

This feature allows an operator to collect or track all URLs visited during a particular subscriber session. These URLs include the entire string of visited URLs, including all referral links. This information is output in an Event Data Record (EDR) format to support reporting or billing functions.

For example, if a subscriber begins a mobile web session and clicks on the “Sports” link from the home deck, and then selects ESPN and moves to an advertiser link, the operator can capture all URLs for that entire session. During this period ACS collects the URLs for a particular subscriber session; collection can be limited by time duration or number of URLs visited.

ACS generates EDRs that contain HTTP URL and the HTTP referer fields along with other fields.


Example:
The following command defines a rule expression to match the HTTP referer cricket.espn.com:
http referer = cricket.espn.com
http reply code

This command allows you to define rule expressions to match status code associated with HTTP response packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
reply code operator reply_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
reply_code

Specifies the HTTP reply code to match.

reply_code must be an integer from 100 through 599.


Usage:

Use this command to define rule expressions to match status code associated with HTTP response codes.


Example:
The following command defines a rule expression to match HTTP response code 204:
http reply code = 204
http request method

This command allows you to define rule expressions to match HTTP request method.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
request method operator request_method
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
request_method

Specifies the HTTP request method to match.

request_method must be one of the following:

  • connect
  • delete
  • get
  • head
  • options
  • post
  • put
  • trace

Usage:

Use this command to define rule expressions to match an HTTP request method.


Example:
The following command defines a rule expression to match user traffic based on HTTP request method connect:
http request method = connect
http session-length

This command allows you to define rule expressions to match HTTP session length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
session-length operator session_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the HTTP total session length (in bytes) to match.

session_length must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match a total HTTP session length.


Example:
The following command defines a rule expression to match an HTTP session length of 200000:
http session-length = 200000
http state

This command allows you to define rule expressions to match current state of an HTTP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state of HTTP session to match.

current_state must be one of the following:

  • close: Closed state
  • response-error: Response error state
  • response-ok: Response ok state
  • waiting-for-response: Waiting for response state

Usage:

Use this command to define rule expressions to match a current state of an HTTP session.


Example:
The following command defines a rule expression to match current state close:
http state = close
http transaction-length

This command allows you to define rule expressions to match HTTP transaction length (combined length of one HTTP GET Request message and its associated response messages).

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
transaction-length { operator transaction_length | { { range | !range } range_from to range_to } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
transaction_length

Specifies the HTTP transaction length (in bytes) to match.

transaction_length must be an integer from 1 through 4000000000.

{ range | !range } range_from to range_to

Enables or disables the range criteria for length of transaction.

  • range: Enables the range criteria for HTTP transaction length.
  • !range: Disables the range criteria for HTTP transaction length.
  • range_from: Specifies the start of range (in bytes) for HTTP transaction length.
  • range_to: Specifies the end of range (in bytes) for HTTP transaction length.

Usage:

Use this command to define rule expressions to match an HTTP transaction length [one HTTP GET Request message + associated response message(s)] in bytes.


Example:
The following command defines a rule expression to match an HTTP transaction length of 10200 bytes:
http transaction-length = 10200
http transfer-encoding

This command allows you to define rule expressions to match the value in HTTP Transfer-Encoding general-header field.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
transfer-encoding [ case-sensitive ] operator transfer_encoding
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
transfer_encoding

Specifies the HTTP transfer encoding to match.

transfer_encoding must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the value in HTTP Transfer-Encoding general-header field.


Example:
The following command defines a rule expression to match the value chunked in HTTP Transfer-Encoding general-header field:
http transfer-encoding = chunked
http uri

This command allows you to define rule expressions to match HTTP URI.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
uri [ case-sensitive ] operator uri
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
uri

Specifies the HTTP URI to match.

uri must be an alphanumeric string of 1 through 127 characters, and can contain punctuation characters, and excludes the “host” portion.


Usage:

Use this command to define rule expressions to match an HTTP URI, excluding the host portion.


Example:
The following command defines a rule expression to match the HTTP URI string http://www.somehost.com:
http uri = http://www.somehost.com
http url

This command allows you to define rule expressions to match HTTP URL.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
url [ case-sensitive ] operator url
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
url

Specifies the HTTP URL to match.

url must be an alphanumeric string of 1 through 127 characters. that allows punctuation characters and includes “host + URI” for HTTP PDUs.

For example, in case of the URL “http://www.google.fr/”, the host is “http://www.google.fr”, and the URI is “/”:
Hypertext Transfer
Protocol
   GET / HTTP/1.1\r\n
       Request Method:
GET
       Request URI: /
       Request Version:
HTTP/1.1
   Accept: */*\r\n
   Accept-Language:
fr\r\n
   Accept-Encoding:
gzip, deflate\r\n
   User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
   Host: www.google.fr\r\n
   Connection: Keep-Alive\r\n
   \r\n

Usage:

Use this command to define rule expressions to match HTTP URL.


Example:
The following command defines a rule expression to match the HTTP URL http://rfc.ietf.org/rfc/rfc1738.txt:
http url = http://rfc.ietf.org/rfc/rfc1738.txt
http user-agent

This command allows you to define rule expressions to match the User-Agent request-header field of HTTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
user-agent [ case-sensitive ] operator user_agent
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
user_agent

Specifies the HTTP user agent value to match.

user_agent must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match value in HTTP user-agent header field.


Example:
The following command defines a rule expression to match xyz.123 in HTTP user-agent header field:
http user-agent = xyz.123
http version

This command allows you to define rule expressions to match version information in HTTP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
version [ case-sensitive ] operator http_version
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
http_version

Specifies this HTTP version value to match.

http_version must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match HTTP version.


Example:
The following command defines a rule expression to match HTTP version http4.2:
http version = http4.2
http x-header

This command allows you to define rule expressions to match specified field within extension-headers (x-headers).

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] http
x-header field_name [ case-sensitive ] operator string
no

If previously configured, deletes the specified rule expression from the current ruledef.

field_name

field_name must be an alphanumeric string of 1 through 31 characters.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
string

Specifies the HTTP x-header value to match.

string must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match specified fields within x-headers. The extension-header can be any header field not specified in RFCs.

All x-header fields must begin with “x-”.


Example:
The following command defines a rule expression to match the extension-header test_field for the value test_string:
http x-header test_field = test_string
icmp any-match

This command allows you to define rule expressions to match all ICMP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all ICMP packets.


Example:
The following command defines a rule expression to match all ICMP packets:
icmp any-match = TRUE
icmp code

This command allows you to define rule expressions to match value in the Code field of ICMP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmp
code operator code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
code

Specifies the ICMP code to match.

code must be an integer from 0 through 255.


Usage:

Use this command to define rule expressions to match a code field of ICMP packets.


Example:
The following command defines a rule expression to match ICMP code 11:
icmp code = 11
icmp type

This command allows you to define rule expressions to match value in Type field of ICMP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmp
type operator type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
type

Specifies the ICMP type to match.

type must be an integer from 0 through 255. For example, 0 for Echo Reply, 3 for Destination Unreachable, and 5 for Redirect.


Usage:

Use this command to define rule expressions to match a type field of ICMP packets.


Example:
The following command defines a rule expression to match user traffic based on ICMP type 3:
icmp type = 3
icmpv6 any-match

This command allows you to define rule expressions to match all ICMPv6 packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmpv6
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all ICMPv6 packets.


Example:
The following command defines a rule expression to match all ICMPv6 packets:
icmpv6 any-match = TRUE
icmpv6 code

This command allows you to define rule expressions to match value in Code field of ICMPv6 packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmpv6
code operator
code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
code

Specifies the ICMPv6 code to match.

code must be an integer from 0 through 255.


Usage:

Use this command to define rule expressions to match a code field of ICMPv6 packets.


Example:
The following command defines a rule expression to match ICMPv6 code 134:
icmpv6 code = 134
icmpv6 type

This command allows you to define rule expressions to match type field of ICMPv6 packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmpv6
type operator
type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
type

Specifies the ICMPv6 type to match.

type must be an integer from 0 through 255. For example, 129 for Echo Reply, 3 for Time Exceeded, and 137 for Redirect Message.


Usage:

Use this command to define rule expressions to match type field of ICMPv6 packets.


Example:
The following command defines a rule expression to match ICMPv6 type 133:
icmpv6 type = 133
if-protocol

This command allows you to associate different content IDs with the same ruledef, depending on the protocol being used.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
if-protocol { http | wsp-connection-less | wsp-connection-oriented } content-id content_idno if-protocol { http | wsp-connection-less | wsp-connection-oriented }
no

If previously configured, deletes the specified rule expression from the current ruledef.

http

Specifies HTTP protocol.

This is the same as the rule expression http any-match = true.

wsp-connection-less

Specifies WSP connection-less protocol.

This is the same as requiring “wsp any-match = true” but “wtp any-match = false” (that is, connection-less WAP1.x).

wsp-connection-oriented

Specifies WSP connection-oriented protocol.

This is the same as the combined rule expression “wsp any-match = true” and “wtp any-match = true” (that is, connection-oriented WAP1.x).

content-id content_id

Specifies the content ID for the specified protocol.

In 12.1 and earlier releases, content_id must be an integer from 1 through 65535.


Usage:

Use this command to associate different content IDs with the same ruledef, depending on the protocol being used.

This command is only effective for charging ruledefs. See the rule-application command for information on how to configure charging ruledefs.

If a particular ruledef should have three different values for content-id, depending on whether the traffic is connection-oriented WAP1.x, connection-less WAP1.x, or WAP2.0, within the ruledef we should have configuration similar to the following:

if-protocol wsp-connection-oriented content-id 1

if-protocol wsp-connection-less content-id 2

if-protocol http content-id 3

Presumably, the ruledef would have another configurable like “www url contains foo”, which would cause it to use different content IDs when "foo" was accessed, depending upon the protocol being used.


Example:
The following command associates HTTP protocol and a content ID of 23:
if-protocol http content-id
23 
imap any-match

This command allows you to define rule expressions to match all IMAP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all IMAP packets.


Example:
The following command defines a rule expression to match all IMAP packets:
imap any-match = TRUE
imap cc

This command allows you to define rule expressions to match recipient address in the Carbon Copy (cc) field of e-mails in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
cc [ case-sensitive ] operator cc_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
cc_address

Specifies the e-mail “cc” address/name to match.

cc_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match recipient address in the “cc” field of e-mails in IMAP messages.


Example:
The following command defines a rule expression to match recipient address triangle@xyz.com in the “cc” field of e-mails in IMAP messages:
imap cc contains triangle@xyz.com
imap command

This command allows you to define rule expressions to match embedded IMAP commands in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
command operator
command
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
command

Specifies the command to match.

command must be one of the following:

  • append
  • authenticate
  • capability
  • check
  • close
  • copy
  • create
  • delete
  • examine
  • expunge
  • fetch
  • list
  • login
  • logout
  • lsub
  • noop
  • rename
  • search
  • select
  • starttls
  • status
  • store
  • subscribe
  • uid-copy
  • uid-fetch
  • uid-search
  • uid-store
  • unsubscribe

Usage:

Use this command to define rule expressions to match an embedded command in the IMAP message.


Example:
The following command defines a rule expression to match close command in IMAP messages:
imap command = close
imap content class

This command allows you to define rule expressions to match the content-class field of e-mails in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
content class [ case-sensitive ] operator content_class
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_class

Specifies the content class to match.

content_class must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the content-class field of e-mails in IMAP messages.


Example:
The following command defines a rule expression to analyze user traffic matching content class javax.mail.internet.MimeMultipart in the content-class field of e-mails in IMAP messages:
imap content class
contains javax.mail.internet.MimeMultipart
imap content type

This command allows you to define rule expressions to match the content-type field of e-mails in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
content type [ case-sensitive ] operator content_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_type

Specifies the content type field to match.

content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the content-type field of e-mails in IMAP messages.


Example:
The following command defines a rule expression to analyze user traffic matching content type TEXT/plain; charset=iso-8859-1 in the content-type field of e-mails in IMAP messages:
imap content type
contains TEXT/plain; charset=iso-8859-1
imap date

This command allows you to define rule expressions to match the Date field of e-mails in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
date [ case-sensitive ] operator date
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
date

Specifies the date to match.

date must be an alphanumeric string of 1 through 127 characters that may include punctuation marks and spaces as shown in the example below.


Usage:

Use this command to define rule expressions to match the date field of e-mails in IMAP messages.


Example:
The following command defines a rule expression to analyze user traffic matching date Fri, 20 Jan 2012 11:00:00 -0600 in the “date” field of e-mails in IMAP messages:
imap date contains
Fri, 21 Jan 2012 11:00:00 -0600
imap final-reply

This command allows you to define rule expressions to match final-reply value for the last IMAP final-reply message.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
final-reply operator final_reply
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
final_reply

Specifies the “final-reply” condition to match.

final_reply must be one of the following:

  • bad: Final reply is invalid or bad.
  • no: There is no final reply.
  • ok: Final reply is valid.

Usage:

Use this command to define rule expressions to match a final-reply value for the last IMAP final-reply message.


Example:
The following command defines a rule expression to analyze user traffic matching the final-reply condition bad in the last IMAP final-reply message:
imap final-reply = bad
imap from

This command allows you to define rule expressions to match the from field of e-mails in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
from [ case-sensitive ] operator from_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
from_address

Specifies the “from” address/value to match.

from_address must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the from field of e-mails in IMAP messages.


Example:
The following command defines a rule expression to analyze user traffic matching triangle in the “from” field of e-mails in the IMAP messages:
imap from contains triangle
imap mail-size

This command allows you to define rule expressions to match IMAP e-mail users that have e-mails of a specified size in their mailboxes.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
mail-size operator mail_size
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
mail_size

Specifies the total size of mail, in bytes, to match.

mail_size must be an integer from 0 through 4000000000.


Usage:

Use this command to define rule expressions to discover the number of IMAP e-mail users that have e-mails of a specified size in their mailboxes.


Example:
The following command defines a rule expression to match users with e-mail size less than or equal to 23400 bytes:
imap mail-size <= 23400
imap mailbox-size

This command allows you to define rule expressions to match IMAP e-mail user having a specified number of messages in their mailboxes.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
mailbox-size operator number_of_email
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
number_of_email

Specifies the total number of e-mail messages in mailbox of an IMAP user to match.

number_of_email must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match the number of IMAP e-mail users having a specified number of messages in their mailboxes.


Example:
The following command defines a rule expression to match e-mail users having less than or equal to 1024 e-mail messages in their mailboxes:
imap mailbox-size
<= 1024
imap message-type

This command allows you to define rule expressions to match the type of IMAP packet.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
message-type operator message_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
message_type

Specifies the IMAP packet message-type to match.

message_type must be one of the following:

  • command-continuation-reply: Message with command-continuation-reply type.
  • final-reply: Message is of final reply type.
  • request: There is of request type.
  • untagged-reply: Message of reply type, but without any tag.

Usage:

Use this command to define rule expressions to match the IMAP message type.


Example:
The following command defines a rule expression to match IMAP sessions with message type request:
imap message-type = request
imap previous-state

This command allows you to define rule expressions to match the previous state of IMAP request sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
previous-state operator imap_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
imap_previous_state

Specifies the previous state to match.

imap_previous_state must be one of the following:

  • init: Message in initialization state.
  • request-sent: Message in request-sent state.

Usage:

Use this command to define rule expressions to match previous state of IMAP request session.


Example:
The following command defines a rule expression to match IMAP sessions with previous state init:
imap previous-state = init
imap session-length

This command allows you to define rule expressions to match the total length of an IMAP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
session-length operator session_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the total length of IMAP session (in bytes) to match.

session_length must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match the total length of IMAP sessions.

The session length is calculated by adding together the IP payloads (that is, starting after the IP header) of all relevant IMAP session packets.


Example:
The following command defines a rule expression to match IMAP sessions with length less than or equal to 4000 bytes:
imap session-length
<= 4000
imap session-previous-state

This command allows you to define rule expressions to match the previous state of an IMAP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
session-previous-state operator imap_session_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
imap_session_previous_state

Specifies the previous state of IMAP session to match.

imap_session_previous_state must be one of the following:

  • authenticated: Session authenticated
  • connected: Session connected
  • init: Session initialized
  • mailbox-selected: Mailbox selected

Usage:

Use this command to define rule expressions to match the previous state of IMAP sessions.


Example:
The following command defines a rule expression to match IMAP sessions with previous state init:
imap session-previous-state = init
imap session-state

This command allows you to define rule expressions to match the current state of IMAP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
session-state operator session_current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
session_current_state

Specifies the current state to match.

session_current_state must be one of the following:

  • authenticated: Session authenticating.
  • connected: Session connecting.
  • logout: Session logged out.
  • mailbox-selected: Mailbox selecting.

Usage:

Use this command to define rule expressions to match the current state of IMAP sessions.


Example:
The following command defines a rule expression to match IMAP sessions with current state connected:
imap session-state = connected
imap state

This command allows you to define rule expressions to match the current state of IMAP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies current state of IMAP session to match.

current_state must be one of the following:

  • request-sent: Request message sent
  • response-fail: Request response failed
  • response-ok: Request response is good

Usage:

Use this command to define rule expressions to match the current state of IMAP session.


Example:
The following command defines a rule expression to match IMAP sessions with current state response-fail:
imap state = response-fail
imap subject

This command allows you to define rule expressions to match the subject field of e-mails in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
subject [ case-sensitive ] operator subject
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
subject

Specifies the “subject” to match.

subject must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters and space as shown in the example below.


Usage:

Use this command to define rule expressions to match “subject” field of e-mail in IMAP message.


Example:
The following command defines rule expression to match occurrence of the string My test in the “subject” field of e-mails in IMAP message:
imap subject contains
My test
imap to

This command allows you to define rule expressions to match the “to” field of e-mails in IMAP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] imap
to [ case-sensitive ] operator to
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
to

Specifies the “to” field value to match.

to must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match “to” field of e-mails in IMAP messages.


Example:
The following command defines a rule expression to analyze user traffic matching the occurrence xyz.com in the “to” field of e-mails in the IMAP message:
imap to contains xyz.com
ip any-match

This command allows you to define rule expressions to match all IPv4/IPv6 packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match IPv4/IPv6 packets.


Example:
The following command defines a rule expression to match IPv4/IPv6 packets:
ip any-match = TRUE
ip downlink

This command allows you to define rule expressions to match downlink (network to subscriber) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
downlink operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match downlink (to subscriber) IP packets.


Example:
The following command defines a rule expression to match IP packet in downlink direction:
ip downlink = TRUE
ip dst-address

This command allows you to define rule expressions to match IP destination address field within IP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
dst-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask  } | { !range | range } host-pool host_pool_name }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }

operator: Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals

ipv4/ipv6_address: Specifies the IP address of the destination node for outgoing traffic. ipv4/ipv6_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

ipv4/ipv6_address/mask: Specifies the IP address of the destination node for outgoing traffic. ipv4/ipv6_address/mask must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation with subnet mask bit. The mask bit is a numeric value which corresponding to the number of bits in the subnet mask.

{ !range | range } host-pool host_pool_name

!range | range: Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of

host-pool host_pool_name: Specifies the name of the host pool. host_pool_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match the IP destination address field within IP headers.


Example:
The following command defines a rule expression to match the IPv4 destination address 10.1.1.1:
ip dst-address = 10.1.1.1
ip error

This command allows you to define rule expressions to match user traffic for invalid IP packets and other errors, for example IP header error, while parsing IP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
error operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match invalid IP packets and any other errors while parsing IP packets.


Example:
The following command defines a rule expression to match user traffic for invalid IP packets and other errors:
ip error = TRUE
ip protocol

This command allows you to define rule expressions to match the protocol field in IP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
protocol operator { protocol_assignment_no | protocol }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals—available only in 8.1 and later releases
  • =: Equals
  • >=: Greater than or equals—available only in 8.1 and later releases
protocol_assignment_no

Specifies the protocol by assignment number.

protocol_assignment_no must be an integer from 0 through 255.

For example, 1 for ICMP, 6 for TCP, and 17 for UDP.

protocol

Specifies the protocol by name.

protocol must be one of the following:

  • ah
  • esp
  • gre
  • icmp
  • icmpv6
  • tcp
  • udp

Usage:

Use this command to define rule expressions to match protocol field in IP packet headers.


Example:
The following command defines a rule expression to match protocol assignment number 1:
ip protocol = 1
ip server-ip-address

This command allows you to define rule expressions to match the IP address of the destination end of the connection.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
server-ip-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool_name }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }

operator: Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals

ipv4/ipv6_address: Specifies the server IP address. For uplink packets (subscriber to network), this field matches the destination IP address in the IP header. For downlink packets (network to subscriber), this field matches the source IP address in the IP header.ipv4/ipv6_address must be an IP address in IPv4 dotted-decimal notation or IPv6 colon-separated-hexadecimal notation.

ipv4/ipv6_address/mask: Specifies the server IP address with subnet mask bit. For uplink packets (subscriber to network), this field matches the destination IP address in the IP header. For downlink packets (network to subscriber), this field matches the source IP address in the IP header. ipv4/ipv6_address/mask must be an IP address in IPv4 dotted-decimal notation or IPv6 colon-separated-hexadecimal notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.

{ !range | range } host-pool host_pool_name

!range | range: Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of

host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match the IP address of the destination end of the connection.

For uplink packets, this field matches the destination IP address in the IP header. For downlink packets, this field matches the source IP address in the IP header.


Example:
The following command defines a rule expression to match user traffic based on IPv4 server address 10.1.1.1:
ip server-ip-address = 10.1.1.1
ip src-address

This command allows you to define rule expressions to match the source IP address field within IP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
src-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool_name }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }

operator: Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals

ipv4/ipv6_address: Specifies IP address of the source node for incoming traffic. ipv4/ipv6_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

ipv4/ipv6_address/mask: Specifies the IP address of the source node for incoming traffic with subnet mask bit. ipv4/ipv6_address/mask must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation with subnet mask bit. The mask bit is a numeric value which corresponds to the number of bits in the subnet mask.

{ !range | range } host-pool host_pool_name

!range | range: Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of

host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match IP source address field within IP header.


Example:
The following command defines a rule expression to match user traffic based on IPv4 source address 10.1.1.1:
ip src-address = 10.1.1.1
ip subscriber-ip-address

This command allows you to define rule expressions to match the IP address of the subscriber, which will be either the source or destination address depending on the direction.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
subscriber-ip-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool_name }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }

operator: Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals

ipv4/ipv6_address: Specifies the subscriber IP address. Depending on the direction of packet this IP address will be either the IP source address or the IP destination address. ipv4/ipv6_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

ipv4/ipv6_address/mask: Specifies the subscriber IP address with subnet mask bit. Depending on the direction of packet this IP address will either be the IP source address or the IP destination address. ipv4/ipv6_address/mask must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation with subnet mask bit. The mask bit is a numeric value which corresponds to the number of bits in the subnet mask.

{ !range | range } host-pool host_pool_name

!range | range: Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of

host-pool host_pool_name: Specifies the name of the host pool. host_pool_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match the IP address of the subscriber, which will be either the source or destination address depending on the direction.


Example:
The following command defines a rule expression to match user traffic based on subscriber IPv4 address 10.1.1.1:
ip subscriber-ip-address = 10.1.1.1 
ip total-length

This command allows you to define rule expressions to match the total length field in IP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
total-length operator total_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
total_length

Specifies the total length of the IP packet (including payload) to match.

total_length must be an integer from 0 through 4096.


Usage:

Use this command to define rule expressions to match the total length field in IP headers.


Example:
The following command defines a rule expression to match user traffic based on IP total length of 2000 bytes:
ip total-length = 2000
ip uplink

This command allows you to define rule expressions to match uplink (subscriber to network) IP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
uplink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match uplink (subscriber to network) IP packets.


Example:
The following command defines a rule expression to match uplink packets:
ip uplink = TRUE
ip version

This command allows you to define rule expressions to match the version number in IP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
version operator ip_version
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be = (equals).

ip_version

Specifies the IP version to match.

ip_version must be one of the following:

  • ipv4
  • ipv6

Usage:

Use this command to define rule expressions to match version number in IP header.


Example:
The following command defines a rule expression to match user traffic for the IP version ipv6:
ip version = ipv6
mms any-match

This command allows you to define rule expressions to match all Multimedia Messenging Service (MMS) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all MMS packets.


Example:
The following command defines a rule expression to match all MMS packets:
mms any-match = TRUE
mms bcc

This command allows you to define rule expressions to match recipient addresses in the bcc field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
bcc [ case-sensitive ] operator bcc_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
bcc_address

Specifies the “bcc” address/value to match.

bcc_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match recipient address in the “bcc” field of MMS messages.


Example:
The following command defines a rule expression to match recipient address containing test1 in “bcc” field of MMS messages:
mms bcc contains test1
mms cc

This command allows you to define rule expressions to match recipient addresses in the cc field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
cc [ case-sensitive ] operator cc_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
cc_address

Specifies the “cc” address/value to match.

cc_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match recipient addresses in “cc” field of MMS messages.


Example:
The following command defines a rule expression to match recipient address containing test1 in the “cc” field of MMS messages:
mms cc contains test1
mms content location

This command allows you to define rule expressions to match the content-location field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
content location [ case-sensitive ] operator string
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
string

Specifies the value to match.

string must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match the content-location field of MMS messages.


Example:
The following command defines a rule expression to match test1 in content-location field of MMS messages:
mms content location
contains test1
mms content type

This command allows you to define rule expressions to match the content-type field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
content type [ case-sensitive ] operator content_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_type

Specifies the MMS content type to match.

content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match content-type field of MMS messages.


Example:
The following command defines a rule expression to match image in content-type field of MMS messages:
mms content type contains image
mms downlink

This command allows you to define rule expressions to match downlink (network to subscriber) MMS packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
downlink operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the downlink (from the Mobile Node direction) status to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match downlink MMS packets.


Example:
The following command defines a rule expression to match all downlink MMS packets:
mms downlink = TRUE
mms from

This command allows you to define rule expressions to match the “from” field in MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
from [ case-sensitive ] operator from_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
from_address

Specifies the “from” address/value to match.

from_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match the “from” field of MMS messages.


Example:
The following command defines a rule expression to match test1 in the “from” field of MMS messages:
mms from contains test1
mms message-id

This command allows you to define rule expressions to match the message ID field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
message-id [ case-sensitive ] operator message_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
message_id

Specifies the MMS message ID to match.

message_id must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the “message ID” field of MMS messages.


Example:
The following command defines a rule expression to match test1 in the “message ID” field of MMS messages:
mms message-id contains test1
mms pdu-type

This command allows you to define rule expressions to match Protocol Data Unit (PDU) type in the current MMS packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
pdu-type operator
pdu_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
pdu_type

Specifies the MMS PDU type to match.

pdu_type must be one of the following:

  • mms-pdu-type-m-acknowledge-ind
  • mms-pdu-type-m-delivery-ind
  • mms-pdu-type-m-http-get
  • mms-pdu-type-m-notification-ind
  • mms-pdu-type-m-notify-rsp-ind
  • mms-pdu-type-m-retrieve-conf
  • mms-pdu-type-m-send-conf
  • mms-pdu-type-m-send-request
  • mms-pdu-type-m-wsp-get
  • mms-pdu-type-response: This option is deprecated. Use the mms_pdu_type_m_retrieve_conf option instead.

Usage:

Use this command to define rule expressions to match the PDU type in the current MMS packet.


Example:
The following command defines a rule expression to match PDU type mms-pdu-type-m-http-get in the current MMS packet:
mms pdu-type = mms-pdu-type-m-http-get
mms previous-state

This command allows you to define rule expressions to match the previous state of MMS sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
previous-state operator mss_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
mms_previous_state

Specifies the previous state to match.

mms_previous_state must be one of the following:

  • delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
  • delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
  • delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
  • immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
  • init
  • m-send-conf-rcvd: This option is deprecated, use send-success.
  • m-send-req-sent
  • notification-ind-rcvd
  • notify-rsp-sent
  • retrieval-pending
  • retrieve-conf-received
  • send-success

Usage:

Use this command to define rule expressions to match the previous state of MMS sessions.


Example:
The following command defines a rule expression to match user traffic based on MMS previous state of retrieval-pending:
mms previous-state = retrieval-pending
mms response status

This command allows you to define rule expressions to match the response status code of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
response status operator status_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
status_code

Specifies the status code to match.

status_code must be an integer from 128 through 136.


Usage:

Use this command to define rule expressions to match response status code of MMS messages.


Example:
The following command defines a rule expression to match user traffic based on MMS response status code 129:
mms response status = 129
mms state

This command allows you to define rule expressions to match the current state of MMS sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies current state of MMS session to match.

current_state must be one of the following:

  • delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
  • delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
  • delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
  • delivery-failed
  • delivery-success
  • immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
  • m-send-conf-rcvd: This option is deprecated, use send-success.
  • m-send-req-sent
  • notification-ind-rcvd
  • notify-rsp-sent
  • retrieval-failed
  • retrieval-pending
  • retrieval-success
  • retrieve-conf-received
  • send-success

Usage:

Use this command to define rule expressions to match the current state of MMS session.


Example:
The following command defines a rule expression to match user traffic based on the current state of MMS session as retrieval-failed:
mms state = retrieval-failed
mms status

This command allows you to define rule expressions to match the current status of MMS sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
status operator status
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
status

Specifies the MMS status to match.

status must be an integer from 128 through 132.


Usage:

Use this command to define rule expressions to match current status of MMS sessions.


Example:
The following command defines a rule expression to match user traffic based on MMS current status 130:
mms status = 130
mms subject

This command allows you to define rule expressions to match the “subject” field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
subject [ case-sensitive ] operator subject_string
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
subject_string

Specifies the value to match.

subject_string must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match “subject” field of MMS messages.


Example:
The following command defines a rule expression to match test1 in the “subject” field of MMS messages:
mms subject contains test1
mms tid

This command allows you to define rule expressions to match the “Transaction Identifier” (TID) field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
tid [ case-sensitive ] operator transaction_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
transaction_id

Specifies the MMS TID to match.

transaction_id must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match TID field of MMS messages.


Example:
The following command defines a rule expression to match test in TID field of MMS messages:
mms tid = test
mms to

This command allows you to define rule expressions to match the “to” field of MMS messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
to [ case-sensitive ] operator to_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
to_address

Specifies the “to” address/name to match.

to_address must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match “to” field of MMS messages.


Example:
The following command defines a rule expression to match user traffic based on test in “to” field of MMS messages:
mms to = test
mms uplink

This command allows you to define rule expressions to match uplink (subscriber to network) MMS packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
uplink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the uplink (from the Mobile Node direction) status to match.

condition must one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match uplink MMS packets.


Example:
The following command defines a rule expression to match uplink MMS packets:
mms uplink = TRUE
mms version

This command allows you to define rule expressions to match the MMS version in MMS packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] mms
version operator version
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
version

Specifies the MMS version to match.

version must be an integer from 1 through 65535.

IMPORTANT:

MMS protocol analyzer supports decoding of only MMS version 1.0.


Usage:

Use this command to define rule expressions to match MMS version in MMS packets.


Example:
The following command defines a rule expression to match MMS version 1.0 in MMS packets:
mms version = 1
multi-line-or all-lines

This command applies the OR operator to all lines in the current ruledef.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] multi-line-or
all-lines
no

If previously configured, deletes this configuration in the current ruledef.

multi-line-or all-lines

Applies the OR operator to all lines in the current ruledef.


Usage:

When a ruledef is evaluated, if the multi-line-or all-lines command is configured, the logical OR operator is applied to all the rule expressions in the ruledef to decide if the ruledef matches or not. If the multi-line-or all-lines command is not configured, the logical AND operator is applied to all the rule expressions.

The intent of this command is to allow a single ruledef to specify multiple URL expressions. Otherwise, multiple ruledefs need to be created, each with one URL expression. When this CLI command is used, each expression in the ruledef impacts the total number of ruledefs allowed. So from a “maximum number of possible ruledefs” perspective, it makes no difference whether there are N ruledefs with one expression each, or one ruledef with N expressions.

p2p any-match

This command allows you to define rule expressions to match all Peer-to-Peer (P2P) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] p2p
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • TRUE: The rule matches any P2P traffic.
  • FALSE: The rule does not match any P2P traffic.

Usage:

Use this command to define rule expressions to match all P2P packets.


Example:
The following command defines a rule expression to match all P2P packets:
p2p any-match = TRUE
p2p protocol

This command allows you to define rule expressions to match P2P protocol. This command must be used for charging purposes. It must not be used for detection purposes.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] p2p
protocol operator
protocol
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be = (equals).

protocol

Specifies the protocol to match.

protocol must be one of the following:

  • actsync
  • aimini
  • applejuice
  • ares
  • armagettron
  • battlefld
  • bittorrent
  • blackberry
  • citrix
  • clubpenguin
  • crossfire
  • ddlink
  • directconnect
  • dofus
  • edonkey
  • facebook
  • facetime

    IMPORTANT:

    The facetime protocol is available only in 9.0 and in 11.0 and later releases.

  • fasttrack
  • feidian
  • fiesta
  • filetopia
  • florensia
  • freenet
  • fring
  • funshion
  • gadugadu
  • gamekit

    IMPORTANT:

    The gamekit protocol is available only in 9.0 and in 11.0 and later releases.

  • gmail
  • gnutella
  • gtalk
  • guildwars
  • halflife2
  • hamachivpn
  • iax
  • icecast
  • imesh
  • iptv
  • irc
  • isakmp
  • iskoot
  • itunes
  • jabber
  • kontiki
  • manolito
  • maplestory
  • meebo
  • mgcp
  • msn
  • mute
  • myspace
  • nimbuzz
  • octoshape
  • off
  • oovoo
  • openft
  • orb
  • oscar
  • paltalk
  • pando
  • pandora
  • popo
  • pplive
  • ppstream
  • ps3
  • qq
  • qqgame
  • qqlive
  • quake
  • rdp
  • rfactor
  • rmstream
  • scydo
  • secondlife
  • shoutcast
  • skinny
  • skype
  • slingbox
  • sopcast
  • soulseek
  • splashfighter
  • ssdp
  • stealthnet
  • steam
  • stun
  • teamspeak
  • teamviewer
  • thunder
  • tor
  • truphone
  • tvants
  • tvuplayer
  • twitter
  • uusee
  • veohtv
  • viber
  • vpnx
  • vtun
  • warcft3
  • whatsapp
  • wii
  • winmx
  • winny
  • wmstream
  • wofkungfu
  • wofwarcraft
  • xbox
  • xdcc
  • yahoo
  • yourfreetunnel
  • zattoo

Usage:

Use this command to define rule expressions to detect P2P protocols for charging purposes. For detection purposes use the p2p-detection protocol command in the ACS Configuration Mode.


Example:
The following command specifies to detect orb protocol for charging purposes:
p2p protocol = orb
p2p traffic-type

This command allows you to define rule expressions to match traffic type—audio, video, and unclassified.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] p2p
traffic-type operator traffic_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
traffic_type

Specifies the traffic type to match.

In 11.0 and later releases, traffic_type must be one of the following:

  • audio
  • unclassified
  • video

In 10.0 and earlier releases, traffic_type must be voice.


Usage:

Use this command to configure the system to detect voice or non-voice P2P traffic. When the detection of a protocol is enabled then the detection of sub-type is enabled by default.


Example:
The following command configures the system to detect video traffic:
p2p traffic-type = video
pop3 any-match

This command allows you to define rule expressions to match all Post Office Protocol 3 (POP3) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all POP3 packets.


Example:
The following command defines a rule expression to match all POP3 packets:
pop3 any-match = TRUE
pop3 command args

This command allows you to define rule expressions to match POP3 command arguments.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
command args [ case-sensitive ] operator argument
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
argument

Specifies the command argument to match.

argument must be an alphanumeric string of 1 through 40 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match POP3 command argument.


Example:
The following command defines a rule expression to match POP3 command argument test:
pop3 command args = test

pop3 command id

This command allows you to define rule expressions to match POP3 command ID.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
command id operator command_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
command_id

Specifies the command ID to match.

command_id must be an integer from 1 through 12.


Usage:

Use this command to define rule expressions to match a POP3 command ID.


Example:
The following command defines a rule expression to match POP3 command ID 8:
pop3 command id = 8
pop3 command name

This command allows you to define rule expressions to match command sent within a POP3 packet.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
command name operator command_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
command_name

Specifies the command name to match.

command_name must be one of the following:

  • apop
  • dele
  • list
  • noop
  • pass
  • quit
  • retr
  • reset
  • stat
  • top
  • uidl
  • user

Usage:

Use this command to define rule expressions to match commands sent within POP3 packets.


Example:
The following command defines a rule expression to match the list command sent in POP3 packets:
pop3 command name = list
pop3 mail-size

This command allows you to define rule expressions to match POP3 mail size.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
mail-size { operator mail_size | { range | !range } range_from to range_to }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
{ range | !range } range_from to range_to

Enables or disables the range criteria.

  • range: Enables the range criteria.
  • !range: Disables the range criteria.
  • range_from: Specifies start of the range.range_from must be an integer from 1 through 4000000000.
  • range_to: Specifies the end range.range_to must be an integer from 1 through 4000000000, and must be greater than range_from.
mail_size

Specifies the mail size to match.

mail_size must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match POP3 mail size.


Example:
The following command defines a rule expression to match POP3 mail size of 40000:
pop3 mail-size = 40000
pop3 pdu-length

This command allows you to define rule expressions to match the Protocol Data Unit (PDU) length of POP3 packets equal to the POP3 header plus POP3 payload.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
pdu-length { operator pdu_length | { { range | !range } range_from to range_to } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
{ range | !range } range_from to range_to

Enables or disables the range criteria.

  • range: Enables the range criteria.
  • !range: Disables the range criteria.
  • range_from: Specifies the start of range as an integer from 0 through 65535.
  • range_to: Specifies the end range. range_to must be an integer from 0 through 65535, and must be greater than range_from.
pdu_length

Specifies the POP3 PDU length to match.

pdu_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match POP3 PDU length (header + payload) in bytes.


Example:
The following command defines a rule expression to match PDU length of 1000 bytes:
pop3 pdu-length = 1000
pop3 pdu-type

This command allows you to define rule expressions to match POP3 Protocol Data Unit (PDU) type.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
pdu-type operator
pdu_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
pdu_type

Specifies the POP3 PDU type to match.

pdu_type must be one of the following:

  • command-packet
  • data-packet
  • relay-packet

Usage:

Use this command to define rule expressions to match POP3 PDU type.


Example:
The following command defines a rule expression to match POP3 PDU type relay-packet:
pop3 pdu-type = relay-packet
pop3 previous-state

This command allows you to define rule expressions to match the previous state of POP3 sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
previous-state operator pop3_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
pop3_previous_state

Specifies the previous state to match.

pop3_previous_state must be one of the following:

  • connected: Connected state
  • data transaction: Data transaction state
  • init: Initialized state
  • reply-error: Reply error state
  • reply-ok: Response ok state
  • waiting-for-reply: Waiting for reply state

Usage:

Use this command to define rule expressions to match a POP3 previous state.


Example:
The following command defines a rule expression to match user traffic for a POP3 previous state of connected:
pop3 previous-state = connected
pop3 reply args

This command allows you to define rule expressions to match specified arguments with POP3 reply.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
reply args [ case-sensitive ] operator argument
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
argument

Specifies the reply argument to match.

In 11.0 and earlier releases, argument must be an alphanumeric string of 1 through 512 characters, and may contain punctuation characters.

In 12.0 and later releases, argument must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match specified arguments within a POP3 reply.


Example:
The following command defines a rule expression to match the argument test with POP3 replies:
pop3 reply args = test
pop3 reply id

This command allows you to define rule expressions to match POP3 reply ID.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
reply id operator
reply_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
reply_id

Specifies the POP3 reply ID to match.

reply_id must be one of the following:

  • 0: Unknown reply
  • 1: +OK
  • 2: -Error

Usage:

Use this command to define rule expressions to match POP3 reply ID.


Example:
The following command defines a rule expression to match POP3 reply ID of 2:
pop3 reply id = 2
pop3 reply status

This command allows you to define rule expressions to match POP3 reply status.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
reply status operator reply_status
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
reply_status

Specifies the reply status to match.

reply_status must be one of the following:

  • +OK: Reply OK
  • -ERR: Reply error

Usage:

Use this command to define rule expressions to match POP3 reply status.


Example:
The following command defines a rule expression to match POP3 reply status +OK:
pop3 reply status = +OK
pop3 session-length

This command allows you to define rule expressions to match POP3 session-length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
session-length { operator session_length | { range | !range } range_from to range_to }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the POP3 session length to match.

session_length must be an integer from 1 through 4000000000.

{ range | !range } range_from to range_to

Enables or disables the range criteria for PoP3 session length.

  • range: Enables the range criteria for POP3 session length.
  • !range: Disables the range criteria for POP3 session length.
  • range_from: Specifies the start of range of POP3 session as an integer from 1 through 4000000000, but less than or equal to range_to.
  • range_to: Specifies the end of range of POP3 session as an integer from 1 through 4000000000, but greater than or equal to range_from.

Usage:

Use this command to define rule expressions to match the total length of POP3 sessions.


Example:
The following command defines a rule expression to match a POP3 session length of 40000:
pop3 session-length = 40000
pop3 state

This command allows you to define rule expressions to match the current state of POP3 sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • close
  • connected
  • data-transaction
  • reply-error
  • reply-ok
  • waiting-for-reply

Usage:

Use this command to define rule expressions to match the current state of POP3 sessions.


Example:
The following command defines a rule expression to match the POP3 current state close:
pop3 state = close
pop3 user-name

This command allows you to define rule expressions to match POP3 user name.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pop3
user-name [ case-sensitive ] operator user_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
user_name

Specifies the POP3 user name to match.

user_name must be an alphanumeric string of 1 through 64 characters, and may contain punctuation characters and space.


Usage:

Use this command to define rule expressions to match POP3 user name.


Example:
The following command defines a rule expression to match POP3 user name test:
pop3 user-name = test
pptp any-match

This command allows you to defines a rule expression to match all Point-to-Point Tunneling Protocol (PPTP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pptp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to specify a ruledef to analyze user traffic based on the PPTP any match status.


Example:
The following command creates a PPTP ruledef for analyzing user traffic using a PPTP any match status of FALSE:
pptp any-match = FALSE
pptp ctrl-msg-type

This command allows you to define rule expressions to match control message type in PPTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pptp
ctrl-msg-type = message_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

message_type

message_type must be one of the following:

  • call-clear-request
  • call-disconnect-notify
  • echo-reply
  • echo-request
  • incoming-call-connected
  • incoming-call-reply
  • incoming-call-request
  • outgoing-call-reply
  • outgoing-call-request
  • set-link-info
  • start-control-connection-reply
  • start-control-connection-request
  • stop-control-connection-reply
  • stop-control-connection-request
  • wan-error-notify

Usage:

Use this command to define rule expressions to match the control message type in PPTP packets.


Example:
The following command specifies to match echo-reply message type:
pptp ctrl-msg-type = echo-reply
pptp gre any-match

This command allows you to define rule expressions to match all PPTP Generic Routing Encapsulation (GRE) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] pptp
gre any-match = condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

condition

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all PPTP GRE packets.


Example:
The following command defines a rule expression to match all PPTP GRE packets:
pptp gre any-match = TRUE
rtcp any-match

This command allows you to define rule expressions to match all Real-Time Transport Control Protocol (RTCP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtcp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • TRUE: The rule matches any RTCP traffic.
  • FALSE: The rule does not match any RTCP traffic.

Usage:

Use this command to define rule expressions to match all RTCP packets.


Example:
The following command defines a rule expression to match all RTCP packets:
rtcp any-match = TRUE
rtcp jitter

This command allows you to define rule expressions to match the jitter parameter in RTCP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtcp
jitter operator
jitter
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
jitter

Specifies the RTCP inter-arrival jitter value (in milliseconds) to match.

jitter must be an integer from 0 through 4294967295.


Usage:

Use this command to define rule expressions to match jitter parameter found in the RTCP sender report or receiver report packets.


Example:
The following command matches packets for jitter greater than or equal to 1295 milliseconds:
rtcp jitter >= 1295
rtcp parent-proto

This command allows you to define rule expressions to match the parent protocol of the RTCP flow.

IMPORTANT:

This command is available only in 8.1 and 9.0 and later releases.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtcp
parent-proto operator parent_protocol
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
parent_protocol

Specifies the RTCP parent protocol to match.

parent_protocol must be one of the following:

  • rtsp: Real Time Streaming Protocol
  • sip: Session Initiation Protocol

Usage:

Use this command to define rule expressions to match user traffic based on the parent protocol of the RTCP flow.


Example:
The following command defines a rule expression to match user traffic based on SIP being the parent protocol of the RTCP flow:
rtcp parent-proto = sip
rtcp pdu-length

This command allows you to define rule expressions to match Protocol Data Unit (PDU) length of RTCP packets, (RTCP header + RTCP payload).

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtcp
pdu-length operator pdu_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_length

Specifies the RTCP length (in bytes) to match.

In 8.1 and later releases, pdu_length must be an integer from 1 through 65535.

In 8.0, pdu_length must be an integer from 1 through 2000.


Usage:

Use this command to define rule expressions to match RTCP PDU length (header + payload) in bytes.


Example:
The following command defines a rule expression to match user traffic based on an RTCP PDU length of 10000 bytes:
rtcp pdu-length = 10000
rtcp rtsp-id

This command allows you to define rule expressions to match user traffic based on a Real-time Streaming Protocol (RTSP) ID associated with an RTCP flow.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtcp
rtsp-id [ case-sensitive ] operator rtsp_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
rtsp_id

Specifies the value to match.

rtsp_id must be an alphanumeric string of 1 through 32 characters.


Usage:

Use this command to define rule expressions to match an RTSP ID associated with an RTCP flow.


Example:
The following command defines a rule expression to match user traffic containing RTSP message ID of test1:
rtcp rtsp-id contains test1
rtcp session-length

This command allows you to define rule expressions to match the total length of RTCP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtcp
session-length operator session_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the RTCP total session length (in bytes) to match.

In 8.1 and later releases, session_length must be an integer from 1 through 4000000000.

In 8.0, session_length must be an integer from 1 through 40000000.


Usage:

Use this command to define rule expressions to match RTCP total session length.


Example:
The following command defines a rule expression to match user traffic for a total RTCP session length of 200000:
rtcp session-length = 200000
rtcp uri

This command allows you to define rule expressions to match URI associated with RTCP flows.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtcp
uri [ case-sensitive ] operator uri
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
uri

Specifies the URI to match.

uri must be an alphanumeric string of 1 through 127 characters and may include punctuation characters.


Usage:

Use this command to define rule expressions to match URI associated with RTCP flow.


Example:
The following command defines a rule expression to match user traffic for RTCP URI rtsp://www.example.org:
rtcp uri = rtsp://www.example.org
rtp any-match

This command allows you to define rule expressions to match all Real-time Transport Protocol (RTP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all RTP packets.


Example:
The following command defines a rule expression to match all RTP packets:
rtp any-match = TRUE
rtp parent-proto

This command allows you to define rule expressions to match the parent protocol of the RTP flow.

IMPORTANT:

This command is available only in 8.1 and in 9.0 and later releases.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtp
parent-proto operator parent_protocol
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
parent_protocol

Specifies the RTP parent protocol to match.

parent_protocol must be one of the following:

  • rtsp: Real Time Streaming Protocol
  • sip: Session Initiation Protocol

Usage:

Use this command to define rule expressions to match user traffic based on the parent protocol of the RTP flow.


Example:
The following command defines a rule expression to match user traffic with parent protocol of the RTP flow being SIP:
rtp parent-proto = sip
rtp pdu-length

This command allows you to define rule expressions to match PDU length of RTP packets, equal to the RTP header + RTP payload.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtp
pdu-length operator pdu_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_length

Specifies the RTP PDU length (in bytes) to match.

In 8.1 and later releases, pdu_length must be an integer from 1 through 65535.

In 8.0, pdu_length must be an integer from 1 through 2000.


Usage:

Use this command to define rule expressions to match PDU length (header + payload) of RTP packets in bytes.


Example:
The following command defines a rule expression to match an RTP PDU length of 1000 bytes:
rtp pdu-length = 1000
rtp rtsp-id

This command allows you to define rule expressions to match RTSP ID associated with RTP flows.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtp
rtsp-id [ case-sensitive ] operator rtsp_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
rtsp_id

Specifies the RTSP ID to match.

rtsp_id must be an alphanumeric string of 1 through 32 characters.


Usage:

Use this command to define rule expressions to match RTSP ID associated with RTP flows.


Example:
The following command defines a rule expression to match RTSP message ID of test1:
rtp rtsp-id contains test1
rtp session-length

This command allows you to define rule expressions to match the total length of RTP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtp
session-length operator session_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the RTP total session length (in bytes) to match.

In 8.1 and later releases, session_length must be an integer from 1 through 4000000000.

In release 8.0, session_length must be an integer from 1 through 40000000.


Usage:

Use this command to define rule expressions to match the RTP total session length. The session-length is calculated by adding together the “rtp pdu-length” values of all relevant packets.


Example:
The following command defines a rule expression to match a total RTP session length of 200000:
rtp session-length = 200000
rtp uri

This command allows you to define rule expressions to match the media URI associated with RTP flows.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtp
uri [ case-sensitive ] operator uri
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
uri

Specifies the RTP URI to match.

uri must be an alphanumeric string of 1 through 127 characters. uri allows punctuation characters and excludes the “host” portion.


Usage:

Use this command to define rule expressions to match media URI associated with RTP flow.


Example:
The following command defines a rule expression to match the RTP URI string rtsp://www.example.org:
rtp uri = rtsp://www.example.org
rtsp any-match

This command allows you to define rule expressions to match all Real Time Streaming Protocol (RTSP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all RTSP packets.


Example:
The following command defines a rule expression to match all RTSP packets:
rtsp any-match = TRUE
rtsp content length

This command allows you to define rule expressions to match the content length field in RTSP header.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
content length operator content_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
content_length

Specifies the content length (in bytes) to match.

content_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match “content length” field in RTSP headers.


Example:
The following command defines a rule expression to match content length of 10000 in RTSP headers:
rtsp content length = 10000
rtsp content type

This command allows you to define rule expressions to match the content type field in RTSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
content type [ case-sensitive ] operator content_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_type

Specifies the content type to match.

content_type must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match “content type” field in RTSP headers.


Example:
The following command defines a rule expression to match RTSP content type abc100:
rtsp content type = abc100
rtsp date

This command allows you to define rule expressions to match the date field in the RTSP message headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
date [ case-sensitive ] operator date
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
date

Specifies the date in RTSP header to match.

date must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the “date” field in the RTSP message headers.


Example:
The following command defines a rule expression to match the date 12_04_2006 in RTSP message headers:
rtsp date = 12_04_2006
rtsp previous-state

This command allows you to define rule expressions to match the previous state of RTSP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
previous-state operator rtsp_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
rtsp_previous_state

Specifies the previous state to match.

rtsp_previous_state must be one of the following:

  • init
  • open
  • play
  • ready
  • record

Usage:

Use this command to define rule expressions to match the previous state of RTSP sessions.


Example:
The following command defines a rule expression to match RTSP previous state ready:
rtsp previous-state = ready
rtsp reply code

This command allows you to define rule expressions to match the return code in RTSP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
reply code operator reply_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
reply_code

Specifies the RTSP reply code to match.

reply_code must be an integer from 100 through 599.


Usage:

Use this command to define rule expressions to match the return code in RTSP response.


Example:
The following command defines a rule expression to match RTSP return code 302:
rtsp reply code = 302
rtsp request method

This command allows you to define rule expressions to match the method in RTSP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
request method operator request_method
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
request_method

Specifies the RTSP request method to match.

request_method must be one of the following requests:

  • announce
  • describe
  • get-parameter
  • options
  • pause
  • play
  • record
  • redirect
  • set-parameter
  • setup
  • teardown

Usage:

Use this command to define rule expressions to match the method in RTSP responses.


Example:
The following command defines a rule expression to match RTSP request method announce:
rtsp request method = announce
rtsp request packet

This command allows you to define rule expressions to match all RTSP request messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
request packet operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • TRUE: Is request
  • FALSE: Is response

Usage:

Use this command to define rule expressions to match all RTSP request messages.


Example:
The following command defines a rule expression to match all RTSP request messages:
rtsp request packet = TRUE
rtsp rtp-seq

This command allows you to define rule expressions to match the “seq” field in the RTP-Info header of RTSP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
rtp-seq operator sequence_number
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
sequence_number

Specifies the sequence number in the RTSP RTP-Info field to match.

sequence_number must be an alphanumeric string of 0 through 65535 characters in Normal Play Time (NPT) time format.


Usage:

Use this command to define rule expressions to match user traffic matching the “seq” field in the RTP-Info header of RTSP response for a PLAY request.


Example:
The following command defines a rule expression to match user traffic based on RTP-seq number npt-12:34:59:
rtsp rtp-seq = npt-12:34:59
rtsp rtp-time

This command allows you to define rule expressions to match the “time” field in RTP-Info header of RTSP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
rtp-time operator
time
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
time

Specifies the time to match.

time must be an alphanumeric string of 1 through 2147483647 characters in Normal Play Time (NPT) time format.


Usage:

Use this command to define rule expressions to match the “time” field in the RTP-Info header of RTSP response for a PLAY request.


Example:
The following command defines a rule expression to match RTP timestamp of 20120123T153600Z:
rtsp rtp-time = 20120123T153600Z
rtsp rtp-uri

This command allows you to define rule expressions to match the URI field in the RTP-Info header of RTSP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
rtp-uri [ case-sensitive ] operator uri
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
uri

Specifies the value to match with the URI in RTP-Info header of the RTSP message.

uri must be an alphanumeric string of 1 through 127 characters. uri allows punctuation characters and excludes the “host” portion.


Usage:

Use this command to define rule expressions to match the URI field in the RTP-Info header of the RTSP response for a PLAY request.


Example:
The following command defines a rule expression to match user traffic based on RTP-URI string rtsp://www.foo.com in the RTP-info header of RTSP packet:
rtsp rtp-uri = rtsp://www.foo.com
rtsp session-id

This command allows you to define rule expressions to match the session ID in RTSP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
session-id [ case-sensitive ] operator session_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
session_id

Specifies the session ID to match.

session_id must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the session ID in RTSP messages.


Example:
The following command defines a rule expression to match the RTSP session ID 0123abc100:
rtsp session-id = 0123abc100
rtsp session-length

This command allows you to define rule expressions to match the total length of RTSP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
session-length operator session_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the RTSP session length (in bytes) to match.

session_length must be an integer from 1 through 40000000.


Usage:

Use this command to define rule expressions to match the total length of RTSP sessions. That is, the sum of the “rtsp pdu-length” values of all relevant packets.


Example:
The following command defines a rule expression to match RTSP session length of 3000000 bytes:
rtsp session-length = 3000000
rtsp state

This command allows you to define rule expressions to match the current state of RTSP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • end
  • init
  • open
  • play
  • ready
  • record

Usage:

Use this command to define rule expressions to match the current state of RTSP sessions.


Example:
The following command defines a rule expression to match RTSP current state init:
rtsp state = init
rtsp uri

This command allows you to define rule expressions to match URI in RTSP request message.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
uri [ case-sensitive ] operator uri
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
uri

Specifies the URI to match.

uri must be an alphanumeric string of 1 through 127 characters. uri allows punctuation characters and excludes the “host” portion.


Usage:

Use this command to define rule expressions to match URI in RTSP request.


Example:
The following command defines a rule expression to match user traffic based on RTSP URI rtsp://www.example.com:554/twister/audiotrack:
rtsp uri = rtsp://www.example.com:554/twister/audiotrack
rtsp uri sub-part

This command allows you to define rule expressions to match user traffic by parsing sub-parts of the URI in an RTSP request message.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
uri sub-part { { absolute-path | host | query } [ case-sensitive ] operator string | port { port_operator
port_value | { range | !range } range_from to range_to } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

absolute-path

Specifies the absolute path matching criteria to RTSP URI in an RTSP request message.

host

Specifies the host name matching criteria to RTSP URI in an RTSP request message.

query

Specifies the query string matching criteria to RTSP URI in an RTSP request message.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
string

Specifies the absolute path/host name or query string to match with the URI in RTSP header.

string must be an alphanumeric string of 1 through 127 characters. string allows punctuation characters and excludes the “host” portion.

port

Specifies the port related matching for RTSP URI in an RTSP request message.

port_operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_value

Specifies the RTSP port number to match with port rule in the RTSP flow as an integer from 0 through 65535.

{ range | !range } range_from to range_to }

Enables or disables the range criteria for RTSP flow ports.

  • range: Enables the range criteria for RTSP flow ports.
  • !range: Disables the range criteria for RTSP flow ports.
  • range_from: Specifies the start of range of RTSP flow ports as an integer from 0 through 65535, but less than or equal to range_to.
  • range_to: Specifies the end of range of RTSP flow ports as an integer from 0 through 65535, but more than or equal to range_from.

Usage:

Use this command to define rule expressions to match URI sub parts like host, absolute path, port, and query in RTSP request messages.


Example:
The following command defines a URI sub part rule expression to analyze user traffic based on an RTSP URI port number between 1023 and 1068:
rtsp uri sub-part
port range 1023 to 1068
rtsp user-agent

This command allows you to define rule expressions to match the user-agent field in RTSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] rtsp
user-agent [ case-sensitive ] operator user_agent
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
user_agent

Specifies the user agent to match.

user_agent must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the “user-agent” field in RTSP header.


Example:
The following command defines a rule expression to match test in “user-agent” field of RTSP header:
rtsp user-agent = test
rule-application

This command allows you to specify the purpose of a ruledef, such as for charging, post-processing, routing, and so on.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
rule-application { charging | post-processing | routing }no rule-application
no

Disables the rule application configuration.

charging

Specifies that the current ruledef is for charging purposes.

Up to 2,048 rule definitions can be defined for the charging application in an Active Charging Service.

Default: Enabled

post-processing

IMPORTANT:

The post-processing keyword is available only in 8.3 and later releases.

Specifies that the current ruledef is for post-processing purposes. This enables processing of packets even if the rule matching for them has been disabled.

routing

Specifies that the current ruledef is for routing purposes. Up to 256 rule definitions can be defined for routing in an Active Charging Service. Default: Disabled


Usage:

Use this command to specify the rule application for a rule definition.

If, when configuring a ruledef, the rule-application is not specified, by default the system configures the ruledef as a charging ruledef.


Example:
The following command configures the rule application “charging” to the current rule definition:
rule-application charging
sdp any-match

This command allows you to define rule expressions to match all packets that contain Session Description Protocol (SDP) descriptions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sdp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all packets containing SDP descriptions.


Example:
The following command defines a rule expression to match all packets containing SDP descriptions:
sdp any-match = TRUE
sdp connection-ip-address

This command allows you to define rule expressions to match the IP address in the connection field of SDP descriptions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sdp
connection-ip-address operator ipv4_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
ipv4_address

Specifies the IP address to match.

ipv4_address must be in IPv4 dotted-decimal notation.


Usage:

Use this command to define rule expressions to match IP address in the connection field of SDP descriptions.


Example:
The following command defines a rule expression to match the IP address 10.1.1.1 in the connection field of SDP descriptions:
sdp connection-ip-address = 10.1.1.1
sdp media-audio-port

This command allows you to define rule expressions to match media audio ports specified in the media sections of SDP descriptions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sdp
media-audio-port operator port
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
port

Specifies the port number to match.

port must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match media audio ports specified in the media sections of SDP descriptions.


Example:
The following command defines a rule expression to match media audio port 100 in the media sections of SDP descriptions:
sdp media-audio-port = 100
sdp media-video-port

This command allows you to define rule expressions to match media video ports specified in the media sections of SDP descriptions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sdp
media-video-port operator port
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
port

Specifies the port number to match.

port must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match media video ports specified in the media sections of SDP descriptions.


Example:
The following command defines a rule expression to match media video port 100 in the media sections of SDP descriptions:
sdp media-video-port = 100
sdp uplink

This command allows you to define rule expressions to match SDP descriptions in the uplink (subscriber to network) direction.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sdp
uplink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Is not uplink
  • TRUE: Is uplink

Usage:

Use this command to define rule expressions to match SDP descriptions in uplink direction.


Example:
The following command defines a rule expression to match all SDP descriptions in the uplink direction:
sdp uplink = TRUE
secure-http any-match

This command allows you to define rule expressions to match all Secure HTTP (HTTPS) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] secure-http
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all Secure HTTP packets.


Example:
The following command defines a rule expression to match all HTTPS packets:
secure-http any-match = TRUE
secure-http uplink

This command allows you to define rule expressions to match uplink (subscriber to network) HTTPS packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] secure-http
uplink operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Is not uplink
  • TRUE: Is uplink

Usage:

Use this command to define rule expressions to match uplink HTTPS packets.


Example:
The following command defines a rule expression to match all uplink HTTPS packets:
secure-http uplink = TRUE
sip any-match

This command allows you to define rule expressions to match all Session Initiation Protocol (SIP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all SIP packets.


Example:
The following command defines a rule expression to match all SIP packets:
sip any-match = TRUE
sip call-id

This command allows you to define rule expressions to match the Call ID in SIP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
call-id [ case-sensitive ] operator call_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
call-id

Specifies the call ID to match.

call-id must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the call ID in SIP messages.


Example:
The following command defines a rule expression to match the call ID test in SIP messages:
sip call-id = test
sip content length

This command allows you to define rule expressions to match the content-length field in SIP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
content length operator content_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
content_length

Specifies the SIP content length to match.

content_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match the content-length field in SIP headers.


Example:
The following command defines a rule expression to match the content length 10000 in SIP headers:
sip content length = 10000
sip content type

This command allows you to define rule expressions to match the content type field in SIP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
content type [ case-sensitive ] operator content_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_type

Specifies the content type to match.

content_type must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the content type field in SIP headers.


Example:
The following command defines a rule expression to match content type download_string in SIP headers:
sip content type = download_string
sip from

This command allows you to define rule expressions to match the from field in SIP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
from [ case-sensitive ] operator string
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
string

Specifies the value to match.

string must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the “from” field in SIP messages.


Example:
The following command defines a rule expression to match test1 in the “from” field in SIP messages:
sip from contains test1
sip previous-state

This command allows you to define rule expressions to match previous state of SIP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
previous-state operator sip_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
sip_previous_state

Specifies the previous state to match.

sip_previous_state must be one of the following:

  • init
  • provisional-response
  • request-sent
  • response-fail
  • response-ok

Usage:

Use this command to define rule expressions to match a previous state of SIP sessions.


Example:
The following command defines a rule expression to match user traffic based on the SIP previous state of request-sent:
sip previous-state = request-sent
sip reply code

This command allows you to define rule expressions to match the reply code in SIP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
reply code operator reply_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
reply_code

Specifies the SIP reply code to match.

reply_code must be an integer from 100 through 699.


Usage:

Use this command to define rule expressions to match the reply code in SIP responses.


Example:
The following command defines a rule expression to match 180 in the reply code in SIP responses:
sip reply code = 180
sip request method

This command allows you to define rule expressions to match the method in SIP requests.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
request method operator method
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
method

Specifies the SIP method to match.

method must be one of the following:

  • ack
  • bye
  • cancel
  • invite
  • options
  • register

Usage:

Use this command to define rule expressions to match the method in SIP requests.


Example:
The following command defines a rule expression to match the method bye in SIP request messages:
sip request method = bye
sip request packet

This command allows you to define rule expressions to match all SIP request packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
request packet operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • =: Equals
  • !=: Does not equal
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Is a response
  • TRUE: Is a request

Usage:

Use this command to define rule expressions to match all SIP request packets.


Example:
The following command defines a rule expression to match all SIP request packets:
sip request packet = TRUE
sip state

This command allows you to define rule expressions to match current state of the SIP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • ack-received
  • provisional-response
  • request-sent
  • response-fail
  • response-ok

Usage:

Use this command to define rule expressions to match the current SIP session.


Example:
The following command defines a rule expression to match user traffic based on SIP current state request-sent:
sip state = request-sent
sip to

This command allows you to define rule expressions to match the “to” field in SIP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
to [ case-sensitive ] operator to_address
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
to_address

Specifies the “to” address/name to match.

to_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the “to” field in SIP messages.


Example:
The following command defines a rule expression to match test1 in the “to” field of SIP messages:
sip to contains test1
sip uri

This command allows you to define rule expressions to match the URI in SIP messages.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] sip
uri [ sub-part { headers | host | parameters | port | userinfo } ] [ case-sensitive ] operator uri
no

If previously configured, deletes the specified rule expression from the current ruledef.

sub-part { headers | host | parameters | port | userinfo }

This is an optional keyword that defines what sub-part of a SIP URI to check.

  • headers: Apply the rule to SIP URI header field.
  • host: Apply the rule the SIP URI host field.
  • parameters: Apply the rule to the SIP URI parameters field.
  • port: Apply the rule to the SIP URI port field.
  • userinfo: Apply the rule to the SIP URI userinfo field.
case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with

The string for sub-part keyword port must be an integer and requires different operators. Use the following operators with the port keyword:

  • !=: Does not equal
  • <=: Is less than
  • =: Equals
  • >=: Is greater than
uri

Specifies the SIP URI to match.

uri must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.

The string for sub-part keyword port must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match the URI in SIP messages.


Example:
The following command defines a rule expression to match the URI string sip:10.1.1.1:5060 in SIP messages:
sip uri = sip:10.1.1.1:5060 
The following command defines a rule expression to match the URI string sip:nnnn@host:5060;user=phone in SIP messages:
sip uri = sip:nnnn@host:5060;user=phone 
smtp any-match

This command allows you to define rule expressions to match all Simple Mail Transfer Protocol (SMTP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all SMTP packets.


Example:
The following command defines a rule expression to match all SMTP packets:
smtp any-match = TRUE
smtp command arguments

This command allows you to define rule expressions to match SMTP command arguments.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
command arguments [ case-sensitive ] operator argument
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
argument

Specifies the command argument to match.

argument must be an alphanumeric string of 1 through 63 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match SMTP command arguments.


Example:
The following command defines a rule expression to match SMTP command argument test:
smtp command arguments = test 
smtp command id

This command allows you to define rule expressions to match SMTP command IDs.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
command id operator command_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
command_id

Specifies the command argument to match.

command_id must be an integer from 0 through 10.


Usage:

Use this command to define rule expressions to match SMTP command IDs.


Example:
The following command defines a rule expression to match SMTP command ID 8:
smtp command id = 8
smtp command name

This command allows you to define rule expressions to match commands sent in SMTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
command name operator command_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
command_name

Specifies the command name to match.

command_name must be one of the following:

  • bdat
  • data
  • ehlo
  • expn
  • helo
  • mail-from
  • noop
  • quit
  • rcpt-to
  • rset
  • vrfy

Usage:

Use this command to define rule expressions to match commands sent in SMTP packets.


Example:
The following command defines a rule expression to match data command in SMTP packets:
smtp command name = data
smtp mail-size

This command allows you to define rule expressions to match the size of mail sent by a SMTP client.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
mail-size { operator mail_size | { { range | !range } range_from to range_to } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
mail_size

Specifies the mail size (in bytes) to match.

mail_size must be an integer from 1 through 40000000.

{ range | !range } range_from to range_to

Enables or disables the range criteria.

  • range: Enables the range criteria.
  • !range: Disables the range criteria.
  • range_from: Specifies the start of range as an integer from 1 through 40000000.
  • range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.

Usage:

Use this command to define rule expressions to match the size of mail sent by an SMTP client.


Example:
The following command defines a rule expression to match mail size of 40000 bytes:
smtp mail-size = 40000
smtp pdu-length

This command allows you to define rule expressions to match the Protocol Data Unit (PDU) length of SMTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
pdu-length { operator pdu_length | { { range | !range } range_from to range_to } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_length

Specifies the SMTP PDU length (in bytes) to match.

pdu_length must be an integer from 1 through 65535.

{ range | !range } range_from to range_to

Enables or disables the range criteria.

  • range: Enables the range criteria.
  • !range: Disables the range criteria.
  • range_from: Specifies the start of range as an integer from 1 through 65535.
  • range_to: Specifies the end range. range_to must be an integer from 1 through 65535, and must be greater than range_from.

Usage:

Use this command to define rule expressions to match PDU length of SMTP packets, that is headers + payload.


Example:
The following command defines a rule expression to match a PDU length of 1600 bytes:
smtp pdu-length = 1600
smtp previous-state

This command allows you to define rule expressions to match previous state of SMTP command sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
previous-state operator smtp_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
smtp_previous_state

Specifies the previous state to match.

smtp_previous_state must be one of the following:

  • close: Closed state
  • init: Initialized state
  • response-error: Reply error state
  • response-ok: Response ok state
  • waiting-for-response: Waiting for response state

Usage:

Use this command to define rule expressions to match a previous state of SMTP command sessions.


Example:
The following command defines a rule expression to match user traffic based on SMTP previous state close:
smtp previous-state = close
smtp recipient

This command allows you to define rule expressions to match the recipient e-mail ID in the current SMTP transaction.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
recipient [ case-sensitive ] operator argument
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
argument

Specifies the response argument to match.

argument must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the recipient e-mail ID in the current SMTP transaction.


Example:
The following command defines a rule expression to match recipient e-mail ID containing test in the current SMTP transaction:
smtp recipient contains test
smtp reply arguments

This command allows you to define rule expressions to match the arguments within SMTP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
reply arguments [ case-sensitive ] operator argument
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
argument

Specifies the reply argument to match.

argument must be an alphanumeric string of 1 through 63 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the arguments with SMTP response.


Example:
The following command defines a rule expression to match reply argument forward-path in SMTP response:
smtp reply arguments = forward-path
smtp reply id

This command allows you to define rule expressions to match reply ID assigned to SMTP responses.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
reply id operator
reply_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
reply_id

Specifies the reply ID to match.

reply_id must be one of the following:

  • 0: +NO reply
  • 1: +OK reply
  • 2: -ERR reply

Usage:

Use this command to define rule expressions to reply ID assigned to SMTP response.


Example:
The following command defines a rule expression to match reply ID 2 assigned to SMTP response:
smtp reply id = 2
smtp reply status

This command allows you to define rule expressions to match the reply status in SMTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
reply status operator reply_status
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
reply_status

Specifies the SMTP reply status to match.

reply_status must be one of the following:

  • +OK: Response OK
  • -ERR: Response error

Usage:

Use this command to define rule expressions to match reply status in SMTP packets.


Example:
The following command defines a rule expression to match reply status +OK in SMTP packets:
smtp reply status = +OK
smtp sender

This command allows you to define rule expressions to match sender e-mail ID in the current SMTP transaction.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
sender [ case-sensitive ] operator sender
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
sender

Specifies the sender value to match.

sender must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match sender e-mail ID in the current SMTP transaction.


Example:
The following command defines a rule expression to match sender e-mail ID containing test in the current SMTP transaction:
smtp sender contains test
smtp session-length

This command allows you to define rule expressions to match total length of SMTP sessions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
session-length { operator session_length | { range | !range } range_from to range_to }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the session length to match.

session_length must be an integer from 1 through 40000000.

{ range | !range } range_from to range_to

Enables or disables the range criteria.

  • range: Enables the range criteria.
  • !range: Disables the range criteria.
  • range_from: Specifies the start of range as an integer from 1 through 40000000.
  • range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.

Usage:

Use this command to define rule expressions to match total length of SMTP session.


Example:
The following command defines a rule expression to match SMTP session length of 4000000:
smtp session-length = 4000000
smtp state

This command allows you to define rule expressions to match current state of a SMTP command session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] smtp
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • close: Closed state
  • init: Initialized state
  • response-error: Response of error state
  • response-ok: Response of ok state
  • waiting-for-response: Waiting for response state

Usage:

Use this command to define rule expressions to match current state of SMTP command session.


Example:
The following command defines a rule expression to match current state as close of SMTP command session:
smtp state = close
tcp analyzed out-of-order

This command allows you to define rule expressions to determine whether the received TCP packet was received before all of the earlier sequenced packets have been received. This functionality is for whether the packet was analyzed or discarded because the earlier sequenced packet(s) was (were) not received before a timeout expired.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
analyzed out-of-order operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Not analyzed
  • TRUE: Analyzed

Usage:

This command is used to set the status flag to ‘analyzed’ or ‘not analyzed’ for all TCP packets received at the ACSMgr/SessMgr prior to their earlier packets.

When a packet reaches ACSMgr/SessMgr prior to earlier packet(s), it and subsequent packets are buffered at ACSMgr/SessMgr as TCP out-of-order packets and ACSMgr/SessMgr waits for missing packet(s) until the time-out duration expires. If the packet(s) with the missing sequence number(s) arrives within the time-out duration, all buffered packets with the correct sequence will be presented to upper layers (HTTP etc.) for analysis; otherwise buffered TCP out-of-order packets will be sent to charging with analysis done flag at the TCP/IP layer only.

If this command is enabled the TCP out-of-order packets are marked and sent to TCP analyzer as analyzed for charging action, otherwise they are discarded.


Example:
The following command sets to analyze TCP out-of-order packets:
tcp analyzed out-of-order = TRUE
tcp any-match

This command allows you to define rule expressions to match all TCP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Not analyzed
  • TRUE: Analyzed

Usage:

Use this command to define rule expressions to match all TCP packets.


Example:
The following command defines a rule expression to match all TCP packets:
tcp any-match = TRUE
tcp connection-initiator

This command allows you to define rule expressions to match the TCP connection initiator.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
connection-initiator operator subscriber
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
subscriber

Specifies that the connection is being initiated by the subscriber.


Usage:

Use this command to define rule expressions to match the TCP connection initiator, and to allow the operator to differentiate when the connection initiated by subscriber or the subscriber is acting as a Transaction Control Server (TCS) server.


Example:
The following command defines a rule expression to match user traffic based on TCP connection initiator subscriber:
tcp connection-initiator = subscriber
tcp downlink

This command allows you to define rule expressions to match downlink (network to subscriber) TCP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
downlink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match downlink (to subscriber) TCP packets.


Example:
The following command defines a rule expression to match downlink TCP packets:
tcp downlink = TRUE
tcp dst-port

This command allows you to define rule expressions to match destination port number in TCP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

range | !range

Specifies the range criteria:

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the range of destination TCP ports.

  • start_range must be an integer from 1 through 65535.
  • end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name

Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match destination port number in TCP headers.


Example:
The following command defines a rule expression to match destination port number 10 in TCP headers:
tcp dst-port = 10
tcp duplicate

This command allows you to define rule expressions to match TCP retransmissions.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
duplicate operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Not duplicated/retransmitted
  • TRUE: Duplicated/retransmitted

Usage:

Use this command to specify rule expressions to match TCP retransmission.


Example:
The following command defines a rule expression to match TCP retransmissions:
tcp duplicate = TRUE
tcp either-port

This command allows you to define rule expressions to match either a destination or source port number in TCP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

range | !range

Specifies the range criteria:

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

  • start_range must be an integer from 1 through 65535.
  • end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name

Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match either a destination or source port number in TCP headers.

This command expression allows you to create a single ruledef using either-port, rather than needing two ruledefs (one with dst-port and one with src-port).


Example:
The following command defines a rule expression to match destination/source port number 10 in TCP header:
tcp either-port = 10
tcp error

This command allows you to define rule expressions to identify errors, either in the packet (for example, TCP checksum error) or in the TCP analyzer's Finite State Machine (FSM).

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
error operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define a rule expression to identify errors, either in the packet (for example, TCP checksum error) or in the TCP analyzer's FSM.


Example:
The following command defines a rule expression to match TCP errors:
tcp error = TRUE
tcp flag

This command allows you to define rule expressions to match bit within the flag field of TCP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
flag operator flag
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !contains: Does not contain
  • contains: Contains
  • !=: Does not equal
  • =: Equals
flag

Specifies the flag value to match.

flag must be one of the following:

  • ack: TCP FLAG ACK
  • fin: TCP FLAG FIN
  • push: TCP FLAG PUSH
  • reset: TCP FLAG RESET
  • syn: TCP FLAG SYN

Usage:

Use this command to define rule expressions to match a bit within the flag field of TCP headers.


Example:
The following command defines a rule expression to match reset within flag field of TCP headers:
tcp flag = reset
tcp initial-handshake-lost

This command allows you to define rule expressions to match data packets when there has been no TCP handshaking to establish TCP connection.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
initial-handshake-lost operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match data packets when there has been no TCP handshaking to establish TCP connection.


Example:
The following command defines a rule expression to identify TCP flow where the initial handshake was not seen:
tcp initial-handshake-lost = TRUE
tcp payload

This command allows you to define rule expressions to match hexadecimal or ASCII string content in the payload protocol-signature field of the TCP payload.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
payload starts-with { hex-signature hex_string | string-signature string }
no

If previously configured, deletes the specified rule expression from the current ruledef.

hex-signature hex_string

Specifies hexadecimal protocol signature in payload field.

hex_string must be a dash-delimited list of hex data of size smaller than 32.

string-signature string

Specifies protocol signature in payload field.

string must be an alphanumeric string of 1 through 32 characters.


Usage:

Use this command to define rule expressions to match for Hex/ASCII string content in payload protocol-signature field.

This rule expression is useful for detecting certain applications.


Example:
The following command defines a rule expression to identify user traffic based on TCP protocol signature tcp1:
tcp payload starts-with
string-signature tcp1
tcp payload-length

This command allows you to define rule expressions to match the length of a TCP payload.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
payload-length operator payload_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
payload_length

Specifies the TCP payload length to match.

payload_length must be an integer from 0 through 40000000.


Usage:

Use this command to define rule expressions to match length of TCP payload, excluding the TCP or lower layer headers.

To match TCP control packets configure a payload-length of 0 (zero).


Example:
The following command defines a rule expression to match TCP payload length of 10000:
tcp payload-length = 10000
tcp previous-state

This command allows you to define rule expressions to match previous state of TCP connections.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
previous-state operator tcp_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
tcp_previous_state

Specifies the previous state to match.

tcp_previous_state must be one of the following:

  • close
  • close-wait
  • closing
  • established
  • fin-wait1
  • fin-wait2
  • last-ack
  • listen
  • syn-received
  • syn-sent
  • time-wait

Usage:

Use this command to define rule expressions to match a TCP previous state.


Example:
The following command defines a rule expression to match user traffic based on previous state time-wait:
tcp previous-state = time-wait
tcp proxy-prev-state

This command allows you to define rule expressions to match TCP previous state on the ingress side of the TCP proxy.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
proxy-prev-state operator previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
previous_state

Specifies the previous state to match.

previous_state must be one of the following:

  • close
  • close-wait
  • closing
  • established
  • fin-wait1
  • fin-wait2
  • last-ack
  • listen
  • syn-received
  • syn-sent
  • time-wait

Usage:

If there is no TCP proxy configured, this configuration is not applicable.

For proxy-enabled flows, TCP state handling interprets the ingress side as the radio side and the egress side as the Internet side of the TCP connection.

tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on the egress-side (if flow is proxy-enabled).

tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.

So, depending on the use case, if using tcp state and tcp prev-state an existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.

Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match ruledef because proxy state would not be applicable.


Example:
The following command defines a rule expression to match user traffic based on TCP proxy previous state of established:
tcp proxy-prev-state = established
tcp proxy-state

This command allows you to define rule expressions to match the TCP state on the ingress side of the TCP proxy.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
proxy-state operator
state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
state

Specifies the state to match.

state must be one of the following:

  • close
  • close-wait
  • closing
  • established
  • fin-wait1
  • fin-wait2
  • last-ack
  • listen
  • syn-received
  • syn-sent
  • time-wait

Usage:

If there is no TCP proxy configured, this configuration is not applicable.

For proxy-enabled flows, TCP state handling interprets the ingress side as the radio side and the egress side as the Internet side of the TCP connection.

tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on egress-side (if flow is proxy-enabled).

tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.

So, depending on the use case, if using tcp state and tcp prev-state an existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.

Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match the ruledef because proxy state would not be applicable.


Example:
The following command defines a rule expression to match user traffic based on TCP proxy previous state of established:
tcp proxy-state = established
tcp session-length

This command allows you to define rule expressions to match the total length of a TCP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
session-length operator session_length 
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
session_length

Specifies the TCP session length (in bytes) to match as be an integer from 0 through 4000000000.


Usage:

Use this command to define rule expressions to match the total length of a TCP session.

The session-length is calculated by adding together the TCP payload-length values of all relevant packets.


Example:
The following command defines a rule expression to match user traffic based on TCP session length of 2000 bytes:
tcp session-length = 2000
tcp src-port

This command allows you to define rule expressions to match source a port number in TCP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

range | !range

Specifies the range criteria:

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

  • start_range must be an integer from 1 through 65535.
  • end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name

Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match source a port number in TCP headers.


Example:
The following command defines a rule expression to analyze user traffic matching TCP source port 10:
tcp src-port = 10
tcp state

This command allows you to define rule expressions to match current state of TCP connections.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • close
  • close-wait
  • closing
  • established
  • fin-wait1
  • fin-wait2
  • last-ack
  • listen
  • syn-received
  • syn-sent
  • time-wait

Usage:

Use this command to define rule expressions to match a current state of TCP connections.


Example:
The following command defines a rule expression to match user traffic based on current state close:
tcp state = close
tcp uplink

This command allows you to define rule expressions to match uplink (subscriber to network) TCP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
uplink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to uplink TCP packets.


Example:
The following command defines a rule expression to uplink TCP packets:
tcp uplink = TRUE
tftp any-match

This command allows you to define rule expressions to match all Trivial File Transfer Protocol (TFTP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tftp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Not analyzed
  • TRUE: Analyzed

Usage:

Use this command to define rule expressions to match all TFTP packets.


Example:
The following command defines a rule expression to match all TFTP packets:
tftp any-match = TRUE
tftp data-any-match

This command allows you to define rule expressions to match all TFTP data packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tftp
data-any-match operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE: Not analyzed
  • TRUE: Analyzed

Usage:

Use this command to define rule expressions to match all TFTP data packets.


Example:
The following command defines a rule expression to match all TFTP data packets:
tftp data-any-match = TRUE
udp any-match

This command allows you to define rule expressions to match all UDP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all UDP packets.


Example:
The following command defines a rule expression to match all UDP packets:
udp any-match = TRUE
udp downlink

This command allows you to define rule expressions to match downlink (network to subscriber) UDP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
downlink operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match downlink UDP packets.


Example:
The following command defines a rule expression to match downlink UDP packets:
udp downlink = TRUE
udp dst-port

This command allows you to define rule expressions to match destination port number in UDP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

!range | range

Specifies the range criteria.

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

  • start_range must be an integer from 1 through 65535.
  • end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name

Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match destination port number in UDP headers.


Example:
The following command defines a rule expression to match user traffic based on destination port number 10:
udp dst-port = 10
udp either-port

This command allows you to define rule expressions to match either a destination or source port number in UDP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

!range | range

Specifies the range criteria.

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535, and must be greater than start_range.

port-map port_map_name

Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match either destination or source port number in UDP headers.


Example:
The following command defines a rule expression to match user traffic based on match either source/destination port number 10:
udp either-port = 10
udp payload starts-with

This command allows you to define rule expressions to match hex/ASCII string content in UDP payload protocol-signature field.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
payload starts-with { hex-signature hex_string | string-signature string }
no

If previously configured, deletes the specified rule expression from the current ruledef.

hex-signature hex_string

Specifies hexadecimal protocol signature in payload field.

hex_string must be a dash-delimited list of hex data of size smaller than 32.

string-signature string

Specifies protocol signature in payload field.

string must be an alphanumeric string of 1 through 32 characters.


Usage:

Use this command to define rule expressions to match for Hex/ASCII string content in UDP payload protocol-signature field.

This rule expression is useful for detecting certain applications.


Example:
The following command defines a UDP rule expression to analyze user traffic based on UDP protocol signature udp1:
udp payload starts-with
string-signature udp1 
udp src-port

This command allows you to define rule expressions to match source port number in UDP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

!range | range

Specifies the range criteria.

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535, and must be greater than start_range.

port-map port_map_name

Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to define rule expressions to match source port number in UDP headers.


Example:
The following command defines a rule expression to match source port number 10 in UDP headers:
udp src-port = 10
udp uplink

This command allows you to define rule expressions to match uplink (subscriber to network) UDP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
uplink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match uplink UDP packets.


Example:
The following command defines a rule expression to match uplink (from subscriber) UDP packets:
udp uplink = TRUE
wsp any-match

This command allows you to define rule expressions to match all Wireless Session Protocol (WSP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to specify a rule expression to match all WSP packets.


Example:
The following command defines a rule expression to match all WSP packets:
wsp any-match = TRUE
wsp content type

This command allows you to define rule expressions to match the content type field in WSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
content type [ case-sensitive ] operator content_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_type

Specifies content type to match.

content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match “content type” field in WSP headers.


Example:
The following command defines a rule expression to WSP content type test:
wsp content type = test
wsp domain

This command allows you to define rule expressions to match domain portion of the URI for WSP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
domain [ case-sensitive ] operator domain
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
domain

Specifies the domain to match.

domain must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the domain portion of URIs in WSP packets.

From the URL, after http:// (if present) is removed, everything until the first "/" is the domain.


Example:
The following command defines a rule expression to match user traffic based on domain name testdomain:
wsp domain = testdomain
wsp downlink

This command allows you to define rule expressions to match downlink (network to subscriber) WSP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
downlink operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the downlink (from the Mobile Node direction) status to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match downlink WSP packets.


Example:
The following command defines a rule expression to match downlink WSP packets:
wsp downlink = TRUE
wsp first-request-packet

This command allows you to define rule expressions to match WSP first-request-packet.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
first-request-packet operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match the GET or POST request, if it is the first WSP request for the subscriber's session.


Example:
The following command defines a rule expression to match WSP first-request-packet:
wsp first-request-packet = TRUE
wsp host

This command allows you to define rule expressions to match the host name header field in WSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
host [ case-sensitive ] operator host_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
host_name

Specifies the WSP host name to match.

host_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match host name header field in WSP headers.


Example:
The following command defines a rule expression to match host name host1 in WSP headers:
wsp host contains host1
wsp pdu-length

This command allows you to define rule expressions to match WSP PDU length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
pdu-length operator pdu_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_length

Specifies the WSP PDU length (in bytes) to match.

pdu_length must be an integer from 1 through 65535.


Usage:

Use this command to define rule expressions to match WSP PDU length (header + payload) in bytes.


Example:
The following command defines a rule expression to match user traffic based on WSP PDU length of 10000 bytes:
wsp pdu-length = 10000
wsp pdu-type

This command allows you to define rule expressions to match WSP PDU type in the current packet.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
pdu-type operator
pdu_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
pdu_type

Specifies the WSP PDU type to match.

pdu_type must be one of the following:

  • confirmed push
  • connect-reply
  • connect-request
  • data-fragment
  • delete
  • disconnect
  • get
  • head
  • options
  • post
  • push
  • put
  • redirect
  • reply
  • resume
  • suspend
  • trace

Usage:

Use this command to define rule expressions to match WSP PDU type value in current packet.


Example:
The following command defines a rule expression to match WSP PDU type resume:
wsp pdu-type resume
wsp previous-state

This command allows you to define rule expressions to match previous WSP method invocation state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
previous-state operator wsp_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
wsp_previous_state

Specifies the previous state to match.

wsp_previous_state must be one of the following:

  • init
  • response-error
  • response-ok
  • waiting-for-response

Usage:

Use this command to define rule expressions to match WSP previous state.


Example:
The following command defines a rule expression to match WSP previous state of response-ok:
wsp previous-state = response-ok
wsp reply code

This command allows you to define rule expressions to match WSP reply code.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
reply code operator reply_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
reply_code

Specifies the WSP reply code to match.

reply_code must be an integer from 0 through 101.


Usage:

Use this command to define rule expressions to match WSP reply code.


Example:
The following command defines a rule expression to match WSP reply code of 50:
wsp reply code = 50
wsp session-length

This command allows you to define rule expressions to match total length of a WSP session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
session-length operator session_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: less than equals
  • =: Equals
  • >=: greater than equals
session_length

Specifies the WSP session length (in bytes) to match.

session_length must be an integer from 1 through 65535.


Usage:

Use this command to define rule expressions to match total length of WSP session.


Example:
The following command defines a rule expression to match WSP session length of 2000 bytes:
wsp session-length = 2000
wsp session-management

This command allows you to define rule expressions to match WSP Session Management state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
session-management { previous-state | state } operator state
no

If previously configured, deletes the specified rule expression from the current ruledef.

previous-state

Specifies the previous WSP Session Management state.

state

Specifies current WSP Session Management Finite State Machine (FSM) state.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
state

Specifies the state to match.

For previous-state, state must be one of the following:

  • connected
  • connecting
  • init
  • resuming
  • suspended

For state, state must be one of the following:

  • close
  • connected
  • connecting
  • init
  • resuming
  • suspended

Usage:

Use this command to define rule expressions to match a WSP Session Management state.


Example:
The following command defines a rule expression to match previous WSP Session Management state of connecting:
wsp session-management
previous-state = connecting
wsp state

This command allows you to define rule expressions to match WSP Method Invocation state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • close
  • response-error
  • response-ok
  • waiting-for-response

Usage:

Use this command to define rule expressions to match WSP Method Invocation state.


Example:
The following command defines a rule expression to match a WSP Method Invocation state close:
wsp state = close
wsp status

This command has been deprecated. See the wsp reply-code command.

wsp tid

This command allows you to define rule expressions to match Transaction Identifier (TID) field for connection-less WSP.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
tid operator transaction_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
transaction_id

Specifies the transaction identifier to match.

transaction_id must be an integer from 0 through 255.


Usage:

Use this command to define rule expressions to match TID field for connection-less WSP.


Example:
The following command defines a rule expression to match a TID value of 22 for connection-less WSP:
wsp tid = 22 
wsp total-length

This command has been deprecated. See the wsp session-length command.

wsp transfer-encoding

This command allows you to define rule expressions to match transfer encoding present in WSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
transfer-encoding [ case-sensitive ] operator transfer_encoding
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
transfer_encoding

This must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match transfer encoding present in WSP header.


Example:
The following command defines a rule expression to match user traffic based on WSP transfer encoding 7:
wsp transfer-encoding
contains 7
wsp uplink

This command allows you to define rule expressions to match uplink (subscriber to network) WSP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
uplink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the uplink (to the Mobile Node direction) status to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match uplink WSP packets.


Example:
The following command defines a rule expression to match uplink WSP packets:
wsp uplink = TRUE
wsp url

This command allows you to define rule expressions to match WSP URL.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
url [ case-sensitive ] operator url
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
url

Specifies the URL to match.

url must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the complete URL, including the host portion.


Example:
The following command defines a rule expression to match user traffic based on WSP URL wsp://wiki.tcl.tk:
wsp url = wsp://wiki.tcl.tk
wsp user-agent

This command allows you to define rule expressions to match user agent field in WSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
user-agent [ case-sensitive ] operator user_agent
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
user_agent

Specifies the WSP user agent to match.

user_agent must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match a user agent field in WSP headers.


Example:
The following command defines a rule expression to match value test in user agent field in WSP headers:
wsp user-agent contains test
wsp x-header

This command allows you to define rule expressions to match WSP extension-headers (x-headers).

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wsp
x-header name [ case-sensitive ] operator string
no

If previously configured, deletes the specified rule expression from the current ruledef.

name

Specifies the x-header value as an alphanumeric string of 1 through 31 characters.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
string

Specifies the value of the extension header as an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to configure any x-header field in WSP and parse it. The extension-header mechanism allows additional header fields to be defined without changing the protocol. The extension-header can be any header fields that are not specified in the RFC standard.


Example:
The following command defines a rule expression to analyze user traffic containing WSP extension-header of test_field and value of test_string:
wsp x-header test_field = test_string
wtp any-match

This command allows you to define rule expressions to match all Wireless Transaction Protocol (WTP) packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all WTP packets.


Example:
The following command defines a rule expression to match all WTP packets:
wtp any-match = TRUE
wtp downlink

This command allows you to define rule expressions to match downlink (network to subscriber) WTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
downlink operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the downlink (from the Mobile Node direction) status to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match downlink WTP packets.


Example:
The following command defines a rule expression to match all downlink WTP packets:
wtp downlink = TRUE
wtp gtr

This command allows you to define rule expressions to match Group Transmission (GTR) flag in the current WTP PDU.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
gtr operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match the GTR flag (that indicates the last packet of a packet group) in the current WTP PDU.


Example:
The following command defines a rule expression to match WTP user traffic based on WTP GTR:
wtp gtr = TRUE
wtp pdu-length

This command allows you to define rule expressions to match WTP PDU length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
pdu-length operator pdu_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
pdu_length

Specifies the WTP PDU length (in bytes) to match.

pdu_length must be an integer from 1 through 65535.


Usage:

Use this command to define rule expressions to match WTP PDU length (header + payload) in bytes.


Example:
The following command defines a rule expression to match WTP PDU length of 9647 bytes:
wtp pdu-length = 9647
wtp pdu-type

This command allows you to define rule expressions to match WTP PDU type.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
pdu-type operator
pdu_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
pdu_type

Specifies the WTP PDU type to match.

pdu_type must be one of the following:

  • abort
  • ack
  • invoke
  • negative-ack
  • result
  • segment-invoke
  • segment-result

Usage:

Use this command to define rule expressions to match WTP PDU type.


Example:
The following command defines a rule expression to match the WTP PDU type result:
wtp pdu-type = result
wtp previous-state

This command allows you to define rule expressions to match previous WTP state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
previous-state operator wtp_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
wtp_previous_state

Specifies the previous state to match.

wtp_previous_state must be one of the following:

  • ack-sent
  • init
  • invoke-sent
  • rcvd
  • result-rcvd

Usage:

Use this command to define rule expressions to match WTP previous state.


Example:
The following command defines a rule expression to match user traffic based on WTP previous state of ack-sent:
wtp previous-state = ack-sent
wtp rid

This command allows you to define rule expressions to match Re-transmission Indicator (RID) flag set in WTP traffic.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
rid operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match WTP RID flag.


Example:
The following command defines a rule expression to match user traffic containing WTP RID flag:
wtp rid = TRUE
wtp state

This command allows you to define rule expressions to match current WTP state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • ack-sent
  • close
  • init
  • invoke-sent
  • rcvd
  • result-rcvd

Usage:

Use this command to define rule expressions to match current WTP state.


Example:
The following command defines a rule expression to match user traffic based on current WTP state close:
wtp state = close

wtp tid

This command allows you to define rule expressions to match WTP Transaction Identifier (TID).

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
tid operator transaction_id
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
transaction_id

Specifies the transaction identifier to match.

transaction_id must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match WTP TID. This expression ignores the high order bit in the protocol that indicates the direction.


Example:
The following command defines a rule expression to match user traffic containing WTP TID value of 22:
wtp tid = 22 
wtp transaction class

This command allows you to define rule expressions to match WTP Transaction Class (TCL) state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
transaction class operator transaction_class
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
transaction_class

Specifies the WTP TCL to match.

transaction_class must be an integer from 0 through 2.


Usage:

Use this command to define rule expressions to match WTP transaction class.


Example:
The following command defines a rule expression to match WTP traffic based on WTP transaction class 2:
wtp transaction class = 2
wtp ttr

This command allows you to define rule expressions to match WTP Trailer Transmission (TTR) flag.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
ttr operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match TTR flag (used to indicate the last packet in a segmented message) in the current WTP PDU.


Example:
The following command defines a rule expression to match WTP traffic based on the presence of the WTP TTR flag:
wtp ttr = TRUE
wtp uplink

This command allows you to define rule expressions to match uplink (subscriber to network) WTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] wtp
uplink operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match uplink WTP packets.


Example:
The following command defines a rule expression to match all uplink WTP packets:
wtp uplink = TRUE
www any-match

This command allows you to define rule expressions to match all WWW packets. It is true for HTTP, WAP1.x, and WAP2.0 protocols.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
any-match operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match all WWW packets. This expression is true for HTTP, WAP1.x, and WAP2.0 protocols


Example:
The following command defines a rule expression to match all WWW packets:
www any-match = TRUE
www content type

This command allows you to define rule expressions to match the Content-Type field of HTTP/WSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
content type [ case-sensitive ] operator content_type
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
content_type

Specifies the value to match.

content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the “content type” field of HTTP/WSP header.


Example:
The following command defines a rule expression to match the WWW content type Accept:
www content type = Accept
www domain

This command allows you to define rule expressions to match the domain portion of URIs in WSP/HTTP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
domain [ case-sensitive ] operator domain
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
domain

Specifies the domain to match.

domain must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to define rule expressions to match the domain portion of URIs in WSP/HTTP packets.

From the URL, after http:// (if present) is removed, everything until the first "/" is the domain.


Example:
The following command defines a rule expression to match user traffic based on domain name testdomain:
www domain = testdomain
www downlink

This command allows you to define rule expressions to match downlink (network to subscriber) HTTP/WSP packets.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
downlink operator
condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match downlink HTTP/WSP packets.


Example:
The following command defines a rule expression to match all downlink WWW packets:
www downlink = TRUE
www first-request-packet

This command allows you to define rule expressions to match the GET or POST request, if it is the first WSP/HTTP request for the subscriber's session.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
first-request-packet operator condition
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • FALSE
  • TRUE

Usage:

Use this command to define rule expressions to match the GET or POST request, if it is the first WSP/HTTP request for the subscriber's session.


Example:
The following command defines a rule expression to match user traffic based on the WWW first-request-packet:
www first-request-packet = TRUE
www header-length

This command allows you to define rule expressions to match WWW packet header length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
header-length operator header_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
header_length

Specifies the WWW packet header length (in bytes) to match, header_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match WWW packet header length.


Example:
The following command defines a rule expression to match user traffic based on WWW packet header length of 10000 bytes:
www header-length = 10000
www host

This command allows you to define rule expressions to match the “host name” header field present in HTTP/WSP headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
host [ case-sensitive ] operator host_name
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
host_name

Specifies the WWW host name to match.

host_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the host name header field present in HTTP/WSP headers.


Example:
The following command defines a rule expression to match user traffic based on WWW host name host1:
www host = host1
www payload-length

This command allows you to define rule expressions to match WWW payload length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
payload-length operator payload_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
payload_length

Specifies the payload length (in bytes) to match.

payload_length must be an integer from 1 through 4000000000.


Usage:

Use this command to define rule expressions to match WWW payload length.


Example:
The following command defines a rule expression to match user traffic based on WWW payload length of 10000:
www payload-length = 10000
www pdu-length

This command allows you to define rule expressions to match WWW PDU length.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
pdu-length operator pdu_length
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
pdu_length

Specifies the WWW PDU length (in bytes) to match.

pdu_length must be an integer from 0 through 65535.


Usage:

Use this command to define rule expressions to match WWW PDU length (header + payload) in bytes.


Example:
The following command defines a rule expression to match user traffic based on WWW PDU length of 9767 bytes:
www pdu-length = 9767
www previous-state

This command allows you to define rule expressions to match previous HTTP/WSP(HTTP) state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
previous-state operator www_previous_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
www_previous_state

Specifies the previous state to match.

www_previous_state must be one of the following:

  • init
  • response-error
  • response-ok
  • waiting-for-response

Usage:

Use this command to define rule expressions to match a previous HTTP/WSP(HTTP) state.


Example:
The following command defines a rule expression to match user traffic based on WWW previous state init:
www previous-state = init
www reply code

This command allows you to define rule expressions to match WWW reply code arguments.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
reply code operator reply_code
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • <=: Lesser than or equals
  • =: Equals
  • >=: Greater than or equals
reply_code

Specifies the reply code to match.

reply_code must be an integer from 100 through 599.


Usage:

Use this command to define rule expressions to match HTTP 1.1 status code, or WSP status code that has been remapped to the corresponding HTTP value.

WSP status codes 0 – 101 are automatically remapped to the HTTP status code values, as defined by Table 36 WAP-230-WSP Version 5.


Example:
The following command defines a rule expression to analyze WWW user traffic based on reply code of 125:
www reply code = 125
www state

This command allows you to define rule expressions to match current HTTP/WSP(HTTP) state.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
state operator current_state
no

If previously configured, deletes the specified rule expression from the current ruledef.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
current_state

Specifies the current state to match.

current_state must be one of the following:

  • close
  • response-error
  • response-ok
  • waiting-for-response

Usage:

Use this command to define rule expressions to match current HTTP/WSP state.


Example:
The following command defines a rule expression to match user traffic based on the current WWW state close:
www state = close
www transfer-encoding

This command allows you to define rule expressions to match the transfer encoding field present in HTTP/WSP(HTTP) headers.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
transfer-encoding [ case-sensitive ] operator transfer_encoding
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
transfer_encoding

Specifies the WWW transfer encoding to match.

transfer_encoding must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the “transfer encoding” field present in HTTP/WSP(HTTP) headers.


Example:
The following command defines a rule expression to match user traffic based on the WWW transfer encoding user1:
www transfer-encoding = user1
www url

This command allows you to define rule expressions to match URL for any Web protocol analyzer—HTTP, WAP1.X, WAP2.0.

Platform:

ASR 5000

Product:

ACS


Privilege:

Security Administrator, Administrator


Syntax
[ no ] www
url [ case-sensitive ] operator url
no

If previously configured, deletes the specified rule expression from the current ruledef.

case-sensitive

Specifies that the rule expression be case-sensitive. By default, rule expressions are not case-sensitive.

operator

Specifies how to match.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
url

Specifies the URL to match.

url must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.


Usage:

Use this command to define rule expressions to match the URL for any Web protocol analyzer—HTTP, WAP1.X, WAP2.0.


Example:
The following command defines a rule expression to match user traffic based on WWW URL www.abc.com:
www url = www.abc.com