Important: Up to 10 rule expressions can be configured in one ruledef.
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
Important: This command is available only in 8.1 and later releases.[ no ] bearer 3gpp apn [ case-sensitive ] operator apn_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
apn_name must be an alphanumeric string of 1 through 62 characters and may contain punctuation characters.
Important: This command is available only in 8.1 and later releases.operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
imsi-pool imsi_pool_name
imsi_pool_name must be the name of an IMSI pool, and must be an alphanumeric string of 1 through 63 characters.
The following command defines a rule expression to analyze user traffic for the IMSI number 9198838330912:
Important: This command is available only in 8.1 and later releases.[ no ] bearer 3gpp rat-type operator rat_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
rat_type must be one of the following:
|
•
|
geran: GSM EDGE Radio Access Network type
|
|
•
|
utran: UMTS Terrestrial Radio Access Network type
|
|
•
|
wlan: Wireless LAN type
|
Important: This command is available only in 8.1 and later releases.[ no ] bearer 3gpp sgsn-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
ip_address must be in IPv4 dotted-decimal or IPv6 colon-separated notation.
Use this command to define rule expressions to match IP address of an SGSN node. This command replaces the bearer sgsn-address command.
[ no ] bearer 3gpp2 bsid [ case-sensitive ] use-group-of-objects operator string
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
If the use-group-of-objects keyword is not included in the command, string specifies name of the matching 3GPP2 service Base Station ID (BSID) in bearer flow.
If the use-group-of-objects keyword is included in the command, string must be the name of the group-of-objects to use. In this case, it is checked if the rule is satisfied for either one or none of the objects in the group-of-objects depending upon the operator used. For example, if the operator is contains, the expression would be true if any of the objects in the specified object group is contained in the BSID. If the operator is !contains, then the expression would be true if none of the objects in the object group is contained in the BSID.
string must be an alphanumeric string of 1 through 16 characters, and may contain punctuation characters.
The following command defines a rule expression to analyze user traffic for 3GPP2 BSID named bs001_xyz:
[ no ] bearer 3gpp2 service-option operator service_option_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
service_option_codemust be an integer from 0 through 1000.
This command allows you to define rule expressions to match the APN used for the subscriber session.
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp apn command.[ no ] bearer apn [ case-sensitive ] operator apn_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
apn_name must be the name of an APN, and must be an alphanumeric string of 1 through 62 characters and may contain punctuation characters.
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp imsi command.operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
imsi-pool imsi_pool_name
imsi_pool_name must be the name of an IMSI pool, and must be an alphanumeric string of 1 through 63 characters.
The following command defines a rule expression to match user traffic based on IMSI number 9198838330912:
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp rat-type command.[ no ] bearer rat-type operator rat_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
rat_type must be one of the following:
|
•
|
geran: GSM EDGE Radio Access Network type
|
|
•
|
utran: UMTS Terrestrial Radio Access Network type
|
|
•
|
wlan: Wireless LAN type
|
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp sgsn-address command.[ no ] bearer sgsn-address operator address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
address must be in IPv4 dotted-decimal or IPv6 colon-separated notation.
The following command defines a rule expression to match user traffic based on SGSN node IP address 10.1.1.1:
Important: This functionality is available only if the Content Access Control license has been installed on the chassis. [ no ] bearer traffic-group operator group_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
group_number must be an integer from 1 through 255.
Use this command to define rule expressions to match traffic group of the subscriber session. See the fa-ha-spi command in the HA Service Configuration Mode Commands chapter for more information.
Specifies the quota state of a subscriber for prepaid credit control service. Release 12.0 onwards, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to the ACS Rulebase Configuration Mode Commands chapter in this guide.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
If a subscriber has exhausted the quota but has not exhausted the qualified period, a different charging-action can be applied via the cca quota-state command.
The following command defines a rule expression to match user traffic based on the Credit-Control Application (CCA) quota state limit-reached:
This command allows you to define rule expressions to match redirect-indicator state of the Credit Control Application. Release 12.0 onwards, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to ACS Rulebase Configuration Mode Commands chapter in this reference.
[ no ] cca redirect-indicator operator redirect_indicator
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
Important: For the RADIUS server configured with different values to return for this AVP, the ACS requires ruledefs to match the different values for system to associate with charging actions that have different redirect URLs configured.The following command defines a rule expression to match redirect indicator 1234 for the URL Redirect AVP:
[ no ] dns answer-name [ case-sensitive ] operator value
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
value must be an alphanumeric string of 1 through 255 characters and may contain punctuation characters.
[ no ] dns any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] dns previous-state operator dns_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
dns_previous_state must be one of the following:
|
•
|
|
•
|
[ no ] dns query-name [ case-sensitive ] operator query_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
query_name must be an alphanumeric string of 1 through 255 characters and may contain punctuation characters.
[ no ] dns return-code operator return_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
return_code must be one of the following:
|
•
|
|
•
|
[ no ] dns state operator dns_current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
dns_current_state must be one of the following:
|
•
|
|
•
|
[ no ] dns tid operator tid_value
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
tid_value must be an integer from 1 through 65535.
[ no ] email { cc | content { class | type } | from | size | subject | to } [ case-sensitive ] operator value
operator must be one of the following except for size:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
operator must be one of the following for size:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
value must be an alphanumeric string and can contain punctuation characters.
|
•
|
cc: A string of 1 through 512 characters
|
|
•
|
content: A string of 1 through 128 characters
|
|
•
|
from: A string of 1 through 64 characters
|
|
•
|
size: A range of bytes from 1 through 4000000000 bytes
|
|
•
|
subject: A string of 1 through 128 characters
|
|
•
|
to: A string of 1 through 512 characters
|
The following command defines a rule expression to analyze user traffic for the occurrence of triangle in the “cc” field of e-mail messages:
[ no ] file-transfer any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] file-transfer chunk-number operator chunks_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
chunks_number must be an integer from 1 through 65535.
The following command defines a rule expression to match 150 number of chunks:
[ no ] file-transfer current-chunk-length operator current_chunk_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
current_chunk_length must be an integer from 1 through 40000000.
The following command defines a rule expression to match length of current HTTP chunk as 1500000 bytes:
[ no ] file-transfer declared-chunk-length operator declared_chunk_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
declared_chunk_length must be an integer from 1 through 40000000.
The following command defines a rule expression to match declared length of the current HTTP chunk as 2500000 bytes:
[ no ] file-transfer declared-file-size operator declared_file_size
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
declared_file_size must be an integer from 1 through 40000000.
[ no ] file-transfer filename [ case-sensitive ] operator file_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
file_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] file-transfer previous-state operator file_transfer_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
file_transfer_previous_state must be one of the following:
|
•
|
init: Specifies previous state as initialization.
|
|
•
|
request-sent: Specifies previous state as request sent.
|
|
•
|
transfer-error: Specifies previous state as transfer error.
|
|
•
|
transfer-ok: Specifies previous state as transfer ok.
|
[ no ] file-transfer state operator file_transfer_current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
file_transfer_current_state must be one of the following
|
•
|
init: Specifies current state as initialization.
|
|
•
|
request-sent: Specifies current state as request sent.
|
|
•
|
transfer-error: Specifies current state as transfer error.
|
|
•
|
transfer-ok: Specifies current state as transfer ok.
|
[ no ] file-transfer transferred-file-size operator transferred_file_size
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
transferred_file_size must be an integer from 1 through 4000000000.
[ no ] ftp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ftp client-ip-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address must be in IPv4 dotted-decimal or IPv6 colon-separated notation.
[ no ] ftp client-port operator port_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
[ no ] ftp command args [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match argument ascii within an FTP command:
[ no ] ftp command id operator command_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.3 and earlier releases, command_id must be an integer from 0 through 15.
In 9.0 and later releases, command_id must be an integer from 0 through 18.
[ no ] ftp command name operator command_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command_name must be one of the following:
|
•
|
abor: Abort command
|
|
•
|
cwd: Current working directory command
|
|
•
|
eprt: eprt command
|
|
•
|
epsv: epsv command
|
|
•
|
list: List command
|
|
•
|
mode: Transfer mode command
|
|
•
|
pass: Password command
|
|
•
|
pasv: Passive command
|
|
•
|
port: Port command
|
|
•
|
quit: Quit command
|
|
•
|
rest: Restore command
|
|
•
|
retr: Retry command
|
|
•
|
stor: Store command
|
|
•
|
stru: File structure command
|
|
•
|
syst: System command
|
|
•
|
type: Type command
|
|
•
|
user: User command
|
[ no ] ftp connection-type operator connection_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
connection_type must be one of the following:
|
•
|
0: Unknown
|
|
•
|
1: Control connection
|
|
•
|
2: Data connection
|
[ no ] ftp data-any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ftp filename [ case-sensitive ] operator file_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
file_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] ftp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 0 through 65535.
[ no ] ftp pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_type must be one of the following:
|
•
|
0: Unknown
|
|
•
|
1: Command
|
|
•
|
2: Reply
|
[ no ] ftp previous-state operator ftp_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
ftp_previous_state must be one of the following:
|
•
|
[ no ] ftp reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
[ no ] ftp server-ip-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address must be in IPv4 dotted-decimal or IPv6 colon-separated notation.
[ no ] ftp server-port operator port
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port must be an integer from 1 through 65535.
[ no ] ftp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
[ no ] ftp url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match the URL ftp://rfc.ietf.org/rfc/rfc1738.txt:
[ no ] ftp user [ case-sensitive ] operator ftp_user
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
ftp_user must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] http any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
attribute must be an alphanumeric string of 1 through 31 characters.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
attribute must be an alphanumeric string of 1 through 31 characters.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
[ no ] http content disposition [ case-sensitive ] operator content_disposition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_disposition must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.
[ no ] http content length operator content_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
content_length must be an integer from 1 through 4000000000.
The following command defines a rule expression to match value of 10000 bytes in HTTP Content-Length entity-header field:
[ no ] http content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
Use this command to define rule expressions to match value in HTTP Content-Type entity-header field.
The following command defines a rule expression to match abc100 in HTTP Content-Type entity-header field:
[ no ] http domain [ case-sensitive ] operator domain
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
domain must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match user traffic based on domain name testdomain:
[ no ] http error operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on HTTP error status of TRUE:
[ no ] http first-request-packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] http header-length operator header_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
header_length must be an integer from 0 through 65535.
This command allows you to define rule expressions to match value in HTTP Host request-header field.
[ no ] http host [ case-sensitive ] operator host_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
host_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match host1 in HTTP Host request-header field:
[ no ] http payload-length operator payload_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
payload_length must be an integer from 1 through 4000000000.
[ no ] http pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 0 through 65535.
[ no ] http previous-state operator http_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
http_previous_state must be one of the following:
|
•
|
init: Initialized state
|
|
•
|
response-error: Response error state
|
|
•
|
response-ok: Response ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
[ no ] http referer [ case-sensitive ] operator referer_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
referer_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] http reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
[ no ] http request method operator request_method
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
request_method must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on HTTP request method connect:
[ no ] http session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
[ no ] http state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
close: Closed state
|
|
•
|
response-error: Response error state
|
|
•
|
response-ok: Response ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
[ no ] http transaction-length { operator transaction_length | { { range | !range } range_from to range_to } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
transaction_length must be an integer from 1 through 4000000000.
|
•
|
range: Enables the range criteria for HTTP transaction length.
|
|
•
|
!range: Disables the range criteria for HTTP transaction length.
|
|
•
|
range_from: Specifies the start of range (in bytes) for HTTP transaction length.
|
|
•
|
range_to: Specifies the end of range (in bytes) for HTTP transaction length.
|
[ no ] http transfer-encoding [ case-sensitive ] operator transfer_encoding
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
transfer_encoding must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.
The following command defines a rule expression to match the value chunked in HTTP Transfer-Encoding general-header field:
[ no ] http uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alphanumeric string of 1 through 127 characters, and can contain punctuation characters, and excludes the “host” portion.
The following command defines a rule expression to match the HTTP URI string http://www.somehost.com:
[ no ] http url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alphanumeric string of 1 through 127 characters. that allows punctuation characters and includes “host + URI” for HTTP PDUs.
The following command defines a rule expression to match the HTTP URL http://rfc.ietf.org/rfc/rfc1738.txt:
[ no ] http user-agent [ case-sensitive ] operator user_agent
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_agent must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match xyz.123 in HTTP user-agent header field:
[ no ] http version [ case-sensitive ] operator http_version
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
http_version must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.
field_name must be an alphanumeric string of 1 through 31 characters.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match the extension-header test_field for the value test_string:
[ no ] icmp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
This command allows you to define rule expressions to match value in the Code field of ICMP packets.
[ no ] icmp code operator code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
code must be an integer from 0 through 255.
[ no ] icmp type operator type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
type must be an integer from 0 through 255. For example, 0 for Echo Reply, 3 for Destination Unreachable, and 5 for Redirect.
[ no ] icmpv6 any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] icmpv6 code operator code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
code must be an integer from 0 through 255.
[ no ] icmpv6 type operator type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
type must be an integer from 0 through 255. For example, 129 for Echo Reply, 3 for Time Exceeded, and 137 for Redirect Message.
This is the same as the rule expression http any-match = true.
This is the same as requiring “wsp any-match = true” but “wtp any-match = false” (that is, connection-less WAP1.x).
This is the same as the combined rule expression “wsp any-match = true” and “wtp any-match = true” (that is, connection-oriented WAP1.x).
content-id content_id
In 12.1 and earlier releases, content_id must be an integer from 1 through 65535.
In 12.2 and later releases, content_id must be an integer from 1 through 2147483647.
This command is only effective for charging ruledefs. See the rule-application command for information on how to configure charging ruledefs.
Presumably, the ruledef would have another configurable like “www url contains foo”, which would cause it to use different content IDs when "foo" was accessed, depending upon the protocol being used.
[ no ] imap any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] imap cc [ case-sensitive ] operator cc_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
cc_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match recipient address triangle@xyz.com in the “cc” field of e-mails in IMAP messages:
This command allows you to define rule expressions to match embedded IMAP commands in IMAP messages.
[ no ] imap command operator command
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match close command in IMAP messages:
[ no ] imap content class [ case-sensitive ] operator content_class
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_class must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to analyze user traffic matching content class javax.mail.internet.MimeMultipart in the content-class field of e-mails in IMAP messages:
[ no ] imap content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to analyze user traffic matching content type TEXT/plain; charset=iso-8859-1 in the content-type field of e-mails in IMAP messages:
[ no ] imap date [ case-sensitive ] operator date
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
date must be an alphanumeric string of 1 through 127 characters that may include punctuation marks and spaces as shown in the example below.
The following command defines a rule expression to analyze user traffic matching date Fri, 20 Jan 2012 11:00:00 -0600 in the “date” field of e-mails in IMAP messages:
[ no ] imap final-reply operator final_reply
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
final_reply must be one of the following:
|
•
|
bad: Final reply is invalid or bad.
|
|
•
|
no: There is no final reply.
|
|
•
|
ok: Final reply is valid.
|
The following command defines a rule expression to analyze user traffic matching the final-reply condition bad in the last IMAP final-reply message:
[ no ] imap from [ case-sensitive ] operator from_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
from_address must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to analyze user traffic matching triangle in the “from” field of e-mails in the IMAP messages:
[ no ] imap mail-size operator mail_size
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
mail_size must be an integer from 0 through 4000000000.
The following command defines a rule expression to match users with e-mail size less than or equal to 23400 bytes:
[ no ] imap mailbox-size operator number_of_email
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
number_of_email must be an integer from 0 through 65535.
The following command defines a rule expression to match e-mail users having less than or equal to 1024 e-mail messages in their mailboxes:
[ no ] imap message-type operator message_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
message_type must be one of the following:
|
•
|
command-continuation-reply: Message with command-continuation-reply type.
|
|
•
|
final-reply: Message is of final reply type.
|
|
•
|
request: There is of request type.
|
|
•
|
untagged-reply: Message of reply type, but without any tag.
|
[ no ] imap previous-state operator imap_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
imap_previous_state must be one of the following:
|
•
|
init: Message in initialization state.
|
|
•
|
request-sent: Message in request-sent state.
|
[ no ] imap session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
The following command defines a rule expression to match IMAP sessions with length less than or equal to 4000 bytes:
[ no ] imap session-previous-state operator imap_session_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
imap_session_previous_state must be one of the following:
|
•
|
authenticated: Session authenticated
|
|
•
|
connected: Session connected
|
|
•
|
init: Session initialized
|
|
•
|
mailbox-selected: Mailbox selected
|
[ no ] imap session-state operator session_current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
session_current_state must be one of the following:
|
•
|
authenticated: Session authenticating.
|
|
•
|
connected: Session connecting.
|
|
•
|
logout: Session logged out.
|
|
•
|
mailbox-selected: Mailbox selecting.
|
The following command defines a rule expression to match IMAP sessions with current state connected:
[ no ] imap state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
request-sent: Request message sent
|
|
•
|
response-fail: Request response failed
|
|
•
|
response-ok: Request response is good
|
The following command defines a rule expression to match IMAP sessions with current state response-fail:
[ no ] imap subject [ case-sensitive ] operator subject
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
subject must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters and space as shown in the example below.
The following command defines rule expression to match occurrence of the string My test in the “subject” field of e-mails in IMAP message:
[ no ] imap to [ case-sensitive ] operator to
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
to must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to analyze user traffic matching the occurrence xyz.com in the “to” field of e-mails in the IMAP message:
[ no ] ip any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ip downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ip dst-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to match.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies the IP address of the destination node for outgoing traffic. ip_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated notation.
ip_address/mask: Specifies the IP address of the destination node for outgoing traffic. ip_address/mask must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated notation with subnet mask bit. The mask bit is a numeric value which corresponding to the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies the name of the host pool. host_pool_name must be an alphanumeric string of 1 through 63 characters.
[ no ] ip error operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals—available only in 8.1 and later releases
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals—available only in 8.1 and later releases
|
protocol_assignment_no must be an integer from 0 through 255.
protocol must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] ip server-domain-name operator domain_name
operator must be one of the following:
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
domain_name must be an alphanumeric string of 1 through 127 characters.
[ no ] ip server-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to match.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies the server IP address. For uplink packets (subscriber to network), this field matches the destination IP address in the IP header. For downlink packets (network to subscriber), this field matches the source IP address in the IP header.ip_address must be an IP address in IPv4 dotted-decimal notation or IPv6 colon-separated notation.
ip_address/mask: Specifies the server IP address with subnet mask bit. For uplink packets (subscriber to network), this field matches the destination IP address in the IP header. For downlink packets (network to subscriber), this field matches the source IP address in the IP header. ip_address/mask must be an IP address in IPv4 dotted-decimal notation or IPv6 colon-separated notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be an alphanumeric string of 1 through 63 characters.
The following command defines a rule expression to match user traffic based on IPv4 server address 10.1.1.1:
[ no ] ip src-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to match.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies IP address of the source node for incoming traffic. ip_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated notation.
ip_address/mask: Specifies the IP address of the source node for incoming traffic with subnet mask bit. ip_address/mask must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated notation with subnet mask bit. The mask bit is a numeric value which corresponds to the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters.
The following command defines a rule expression to match user traffic based on IPv4 source address 10.1.1.1:
[ no ] ip subscriber-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to match.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies the subscriber IP address. Depending on the direction of packet this IP address will be either the IP source address or the IP destination address. ip_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated notation.
ip_address/mask: Specifies the subscriber IP address with subnet mask bit. Depending on the direction of packet this IP address will either be the IP source address or the IP destination address. ip_address/mask must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated notation with subnet mask bit. The mask bit is a numeric value which corresponds to the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies the name of the host pool. host_pool_name must be an alphanumeric string of 1 through 63 characters.
[ no ] ip total-length operator total_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
total_length must be an integer from 0 through 4096.
The following command defines a rule expression to match user traffic based on IP total length of 2000 bytes:
[ no ] ip uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ip version operator ip_version
operator must be = (equals).
ip_version must be one of the following:
|
•
|
|
•
|
[ no ] mms any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] mms bcc [ case-sensitive ] operator bcc_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
bcc_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.
The following command defines a rule expression to match recipient address containing test1 in “bcc” field of MMS messages:
[ no ] mms cc [ case-sensitive ] operator cc_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
cc_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.
The following command defines a rule expression to match recipient address containing test1 in the “cc” field of MMS messages:
[ no ] mms content location [ case-sensitive ] operator string
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.
The following command defines a rule expression to match test1 in content-location field of MMS messages:
[ no ] mms content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.
The following command defines a rule expression to match image in content-type field of MMS messages:
[ no ] mms downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] mms from [ case-sensitive ] operator from_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
from_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.
The following command defines a rule expression to match test1 in the “from” field of MMS messages:
[ no ] mms message-id [ case-sensitive ] operator message_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
message_id must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match test1 in the “message ID” field of MMS messages:
[ no ] mms pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
|
•
|
mms-pdu-type-response: This option is deprecated. Use the mms_pdu_type_m_retrieve_conf option instead.
|
The following command defines a rule expression to match PDU type mms-pdu-type-m-http-get in the current MMS packet:
[ no ] mms previous-state operator mss_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
mms_previous_state must be one of the following:
|
•
|
delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
|
|
•
|
delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
|
|
•
|
delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
|
•
|
m-send-conf-rcvd: This option is deprecated, use send-success.
|
The following command defines a rule expression to match user traffic based on MMS previous state of retrieval-pending:
[ no ] mms response status operator status_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
status_code must be an integer from 128 through 136.
[ no ] mms state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
|
|
•
|
delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
|
|
•
|
delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
m-send-conf-rcvd: This option is deprecated, use send-success.
|
The following command defines a rule expression to match user traffic based on the current state of MMS session as retrieval-failed:
[ no ] mms status operator status
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
status must be an integer from 128 through 132.
The following command defines a rule expression to match user traffic based on MMS current status 130:
[ no ] mms subject [ case-sensitive ] operator subject_string
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
subject_string must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters and space.
The following command defines a rule expression to match test1 in the “subject” field of MMS messages:
[ no ] mms tid [ case-sensitive ] operator transaction_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
transaction_id must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match test in TID field of MMS messages:
[ no ] mms to [ case-sensitive ] operator to_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
to_address must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters and space.
The following command defines a rule expression to match user traffic based on test in “to” field of MMS messages:
[ no ] mms uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must one of the following:
|
•
|
|
•
|
[ no ] mms version operator version
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
version must be an integer from 1 through 65535.
Important: MMS protocol analyzer supports decoding of only MMS version 1.0.The following command defines a rule expression to match MMS version 1.0 in MMS packets:
When a ruledef is evaluated, if the multi-line-or all-lines command is configured, the logical OR operator is applied to all the rule expressions in the ruledef to decide if the ruledef matches or not. If the multi-line-or all-lines command is not configured, the logical AND operator is applied to all the rule expressions.
[ no ] p2p any-match operator condition
operator must be one of the following:
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
TRUE: The rule matches any P2P traffic.
|
|
•
|
FALSE: The rule does not match any P2P traffic.
|
This command allows you to define rule expressions to match P2P protocol. This command must be used for charging purposes. It must not be used for detection purposes.
[ no ] p2p protocol operator protocol
operator must be = (equals).
protocol must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Important: The facetime protocol is available only in 9.0 and in 11.0 and later releases.|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Important: The gamekit protocol is available only in 9.0 and in 11.0 and later releases.|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Use this command to define rule expressions to detect P2P protocols for charging purposes. For detection purposes use the p2p-detection protocol command in the ACS Configuration Mode.
[ no ] p2p traffic-type operator traffic_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
In 11.0 and later releases, traffic_type must be one of the following:
|
•
|
|
•
|
[ no ] pop3 any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] pop3 command args [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alphanumeric string of 1 through 40 characters, and may contain punctuation characters.
[ no ] pop3 command id operator command_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
command_id must be an integer from 1 through 12.
[ no ] pop3 command name operator command_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command_name must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match the list command sent in POP3 packets:
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies start of the range.
|
range_from must be an integer from 1 through 4000000000.
|
•
|
range_to: Specifies the end range.
|
range_to must be an integer from 1 through 4000000000, and must be greater than range_from.
mail_size must be an integer from 1 through 4000000000.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range as an integer from 0 through 65535.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 0 through 65535, and must be greater than range_from.
|
pdu_length must be an integer from 0 through 65535.
[ no ] pop3 pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
[ no ] pop3 previous-state operator pop3_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pop3_previous_state must be one of the following:
|
•
|
connected: Connected state
|
|
•
|
data transaction: Data transaction state
|
|
•
|
init: Initialized state
|
|
•
|
reply-error: Reply error state
|
|
•
|
reply-ok: Response ok state
|
|
•
|
waiting-for-reply: Waiting for reply state
|
The following command defines a rule expression to match user traffic for a POP3 previous state of connected:
[ no ] pop3 reply args [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
In 11.0 and earlier releases, argument must be an alphanumeric string of 1 through 512 characters, and may contain punctuation characters.
In 12.0 and later releases, argument must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.
The following command defines a rule expression to match the argument test with POP3 replies:
[ no ] pop3 reply id operator reply_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_id must be one of the following:
|
•
|
0: Unknown reply
|
|
•
|
1: +OK
|
|
•
|
2: -Error
|
[ no ] pop3 reply status operator reply_status
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_status must be one of the following:
|
•
|
+OK: Reply OK
|
|
•
|
-ERR: Reply error
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
|
•
|
range: Enables the range criteria for POP3 session length.
|
|
•
|
!range: Disables the range criteria for POP3 session length.
|
|
•
|
range_from: Specifies the start of range of POP3 session as an integer from 1 through 4000000000, but less than or equal to range_to.
|
|
•
|
range_to: Specifies the end of range of POP3 session as an integer from 1 through 4000000000, but greater than or equal to range_from.
|
[ no ] pop3 state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
[ no ] pop3 user-name [ case-sensitive ] operator user_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_name must be an alphanumeric string of 1 through 64 characters, and may contain punctuation characters and space.
[ no ] pptp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] pptp ctrl-msg-type = message_type
message_type must be one of the following:
The following command specifies to match echo-reply message type:
[ no ] pptp gre any-match = condition
condition must be one of the following:
|
•
|
|
•
|
[ no ] rtcp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
TRUE: The rule matches any RTCP traffic.
|
|
•
|
FALSE: The rule does not match any RTCP traffic.
|
[ no ] rtcp jitter operator jitter
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
jitter must be an integer from 0 through 4294967295.
Important: This command is available only in 8.1 and 9.0 and later releases.[ no ] rtcp parent-proto operator parent_protocol
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
parent_protocol must be one of the following:
|
•
|
rtsp: Real Time Streaming Protocol
|
|
•
|
sip: Session Initiation Protocol
|
[ no ] rtcp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, pdu_length must be an integer from 1 through 65535.
In 8.0, pdu_length must be an integer from 1 through 2000.
The following command defines a rule expression to match user traffic based on an RTCP PDU length of 10000 bytes:
[ no ] rtcp rtsp-id [ case-sensitive ] operator rtsp_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
rtsp_id must be an alphanumeric string of 1 through 32 characters.
The following command defines a rule expression to match user traffic containing RTSP message ID of test1:
[ no ] rtcp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, session_length must be an integer from 1 through 4000000000.
In 8.0, session_length must be an integer from 1 through 40000000.
[ no ] rtcp uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alphanumeric string of 1 through 127 characters and may include punctuation characters.
The following command defines a rule expression to match user traffic for RTCP URI rtsp://www.example.org:
[ no ] rtp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
Important: This command is available only in 8.1 and in 9.0 and later releases.[ no ] rtp parent-proto operator parent_protocol
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
parent_protocol must be one of the following:
|
•
|
rtsp: Real Time Streaming Protocol
|
|
•
|
sip: Session Initiation Protocol
|
[ no ] rtp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, pdu_length must be an integer from 1 through 65535.
In 8.0, pdu_length must be an integer from 1 through 2000.
[ no ] rtp rtsp-id [ case-sensitive ] operator rtsp_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
rtsp_id must be an alphanumeric string of 1 through 32 characters.
[ no ] rtp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, session_length must be an integer from 1 through 4000000000.
In release 8.0, session_length must be an integer from 1 through 40000000.
This command allows you to define rule expressions to match the media URI associated with RTP flows.
[ no ] rtp uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alphanumeric string of 1 through 127 characters. uri allows punctuation characters and excludes the “host” portion.
The following command defines a rule expression to match the RTP URI string rtsp://www.example.org:
[ no ] rtsp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
This command allows you to define rule expressions to match the content length field in RTSP header.
[ no ] rtsp content length operator content_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
content_length must be an integer from 0 through 65535.
The following command defines a rule expression to match content length of 10000 in RTSP headers:
[ no ] rtsp content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.
[ no ] rtsp date [ case-sensitive ] operator date
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
date must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.
The following command defines a rule expression to match the date 12_04_2006 in RTSP message headers:
[ no ] rtsp previous-state operator rtsp_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
rtsp_previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] rtsp reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
[ no ] rtsp request method operator request_method
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
request_method must be one of the following requests:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] rtsp request packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
TRUE: Is request
|
|
•
|
FALSE: Is response
|
[ no ] rtsp rtp-seq operator sequence_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
sequence_number must be an alphanumeric string of 0 through 65535 characters in Normal Play Time (NPT) time format.
The following command defines a rule expression to match user traffic based on RTP-seq number npt-12:34:59:
[ no ] rtsp rtp-time operator time
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
time must be an alphanumeric string of 1 through 2147483647 characters in Normal Play Time (NPT) time format.
[ no ] rtsp rtp-uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alphanumeric string of 1 through 127 characters. uri allows punctuation characters and excludes the “host” portion.
The following command defines a rule expression to match user traffic based on RTP-URI string rtsp://www.foo.com in the RTP-info header of RTSP packet:
[ no ] rtsp session-id [ case-sensitive ] operator session_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
session_id must be an alphanumeric string of 1 through 127 characters.
[ no ] rtsp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 40000000.
[ no ] rtsp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] rtsp uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alphanumeric string of 1 through 127 characters. uri allows punctuation characters and excludes the “host” portion.
The following command defines a rule expression to match user traffic based on RTSP URI rtsp://www.example.com:554/twister/audiotrack:
[ no ] rtsp uri sub-part { { absolute-path | host | query } [ case-sensitive ] operator string | port { port_operator port_value | { range | !range } range_from to range_to } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alphanumeric string of 1 through 127 characters. string allows punctuation characters and excludes the “host” portion.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
|
•
|
range: Enables the range criteria for RTSP flow ports.
|
|
•
|
!range: Disables the range criteria for RTSP flow ports.
|
|
•
|
range_from: Specifies the start of range of RTSP flow ports as an integer from 0 through 65535, but less than or equal to range_to.
|
|
•
|
range_to: Specifies the end of range of RTSP flow ports as an integer from 0 through 65535, but more than or equal to range_from.
|
The following command defines a URI sub part rule expression to analyze user traffic based on an RTSP URI port number between 1023 and 1068:
[ no ] rtsp user-agent [ case-sensitive ] operator user_agent
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_agent must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match test in “user-agent” field of RTSP header:
Important: The post-processing keyword is available only in 8.3 and later releases.
Important: The tpo keyword is available only in 12.2 and later releases.[ no ] sdp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] sdp connection-ip-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
ip_address must be in IPv4 dotted-decimal notation.
The following command defines a rule expression to match the IP address 10.1.1.1 in the connection field of SDP descriptions:
[ no ] sdp media-audio-port operator port
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
port must be an integer from 0 through 65535.
The following command defines a rule expression to match media audio port 100 in the media sections of SDP descriptions:
[ no ] sdp media-video-port operator port
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
port must be an integer from 0 through 65535.
The following command defines a rule expression to match media video port 100 in the media sections of SDP descriptions:
[ no ] sdp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Is not uplink
|
|
•
|
TRUE: Is uplink
|
[ no ] secure-http any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] secure-http uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Is not uplink
|
|
•
|
TRUE: Is uplink
|
[ no ] sip any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] sip call-id [ case-sensitive ] operator call_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
call-id must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match the call ID test in SIP messages:
This command allows you to define rule expressions to match the content-length field in SIP headers.
[ no ] sip content length operator content_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
content_length must be an integer from 0 through 65535.
The following command defines a rule expression to match the content length 10000 in SIP headers:
[ no ] sip content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match content type download_string in SIP headers:
[ no ] sip from [ case-sensitive ] operator string
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alphanumeric string of 1 through 127 characters, and may contain punctuation characters.
The following command defines a rule expression to match test1 in the “from” field in SIP messages:
[ no ] sip previous-state operator sip_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
sip_previous_state must be one of the following:
|
•
|
The following command defines a rule expression to match user traffic based on the SIP previous state of request-sent:
[ no ] sip reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 699.
The following command defines a rule expression to match 180 in the reply code in SIP responses:
[ no ] sip request method operator method
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
method must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match the method bye in SIP request messages:
[ no ] sip request packet operator condition
operator must be one of the following:
|
•
|
=: Equals
|
|
•
|
!=: Does not equal
|
condition must be one of the following:
|
•
|
FALSE: Is a response
|
|
•
|
TRUE: Is a request
|
[ no ] sip state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
The following command defines a rule expression to match user traffic based on SIP current state request-sent:
[ no ] sip to [ case-sensitive ] operator to_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
to_address must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match test1 in the “to” field of SIP messages:
[ no ] sip uri [ sub-part { headers | host | parameters | port | userinfo } ] [ case-sensitive ] operator uri
|
•
|
headers: Apply the rule to SIP URI header field.
|
|
•
|
host: Apply the rule the SIP URI host field.
|
|
•
|
parameters: Apply the rule to the SIP URI parameters field.
|
|
•
|
port: Apply the rule to the SIP URI port field.
|
|
•
|
userinfo: Apply the rule to the SIP URI userinfo field.
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
The string for sub-part keyword port must be an integer and requires different operators. Use the following operators with the port keyword:
|
•
|
!=: Does not equal
|
|
•
|
<=: Is less than
|
|
•
|
=: Equals
|
|
•
|
>=: Is greater than
|
uri must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The string for sub-part keyword port must be an integer from 0 through 65535.
The following command defines a rule expression to match the URI string sip:10.1.1.1:5060 in SIP messages:
The following command defines a rule expression to match the URI string sip:nnnn@host:5060;user=phone in SIP messages:
[ no ] smtp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] smtp command arguments [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alphanumeric string of 1 through 63 characters and may contain punctuation characters.
[ no ] smtp command id operator command_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
command_id must be an integer from 0 through 10.
[ no ] smtp command name operator command_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command_name must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match data command in SMTP packets:
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
mail_size must be an integer from 1 through 40000000.
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range as an integer from 1 through 40000000.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 1 through 65535.
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range as an integer from 1 through 65535.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 1 through 65535, and must be greater than range_from.
|
This command allows you to define rule expressions to match previous state of SMTP command sessions.
[ no ] smtp previous-state operator smtp_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
smtp_previous_state must be one of the following:
|
•
|
close: Closed state
|
|
•
|
init: Initialized state
|
|
•
|
response-error: Reply error state
|
|
•
|
response-ok: Response ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
The following command defines a rule expression to match user traffic based on SMTP previous state close:
[ no ] smtp recipient [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match recipient e-mail ID containing test in the current SMTP transaction:
[ no ] smtp reply arguments [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alphanumeric string of 1 through 63 characters and may contain punctuation characters.
The following command defines a rule expression to match reply argument forward-path in SMTP response:
[ no ] smtp reply id operator reply_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_id must be one of the following:
|
•
|
0: +NO reply
|
|
•
|
1: +OK reply
|
|
•
|
2: -ERR reply
|
The following command defines a rule expression to match reply ID 2 assigned to SMTP response:
[ no ] smtp reply status operator reply_status
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_status must be one of the following:
|
•
|
+OK: Response OK
|
|
•
|
-ERR: Response error
|
The following command defines a rule expression to match reply status +OK in SMTP packets:
[ no ] smtp sender [ case-sensitive ] operator sender
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
sender must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match sender e-mail ID containing test in the current SMTP transaction:
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 40000000.
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range as an integer from 1 through 40000000.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.
|
This command allows you to define rule expressions to match current state of a SMTP command session.
[ no ] smtp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
close: Closed state
|
|
•
|
init: Initialized state
|
|
•
|
response-error: Response of error state
|
|
•
|
response-ok: Response of ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
The following command defines a rule expression to match current state as close of SMTP command session:
[ no ] tcp analyzed out-of-order operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
[ no ] tcp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
The following command defines a rule expression to match user traffic based on TCP connection initiator subscriber:
[ no ] tcp downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] tcp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.
[ no ] tcp duplicate operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not duplicated/retransmitted
|
|
•
|
TRUE: Duplicated/retransmitted
|
[ no ] tcp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.
The following command defines a rule expression to match destination/source port number 10 in TCP header:
[ no ] tcp error operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] tcp flag operator flag
operator must be one of the following:
|
•
|
!contains: Does not contain
|
|
•
|
contains: Contains
|
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
flag must be one of the following:
|
•
|
ack: TCP FLAG ACK
|
|
•
|
fin: TCP FLAG FIN
|
|
•
|
push: TCP FLAG PUSH
|
|
•
|
reset: TCP FLAG RESET
|
|
•
|
syn: TCP FLAG SYN
|
The following command defines a rule expression to match reset within flag field of TCP headers:
[ no ] tcp initial-handshake-lost operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
hex-signature hex_string
hex_string must be a dash-delimited list of hex data of size smaller than 32.
string-signature string
string must be an alphanumeric string of 1 through 32 characters.
[ no ] tcp payload-length operator payload_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
payload_length must be an integer from 0 through 40000000.
[ no ] tcp previous-state operator tcp_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
tcp_previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on previous state time-wait:
[ no ] tcp proxy-prev-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on the egress-side (if flow is proxy-enabled).
tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.
So, depending on the use case, if using tcp state and tcp prev-state an existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.
Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match ruledef because proxy state would not be applicable.
[ no ] tcp proxy-state operator state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on egress-side (if flow is proxy-enabled).
tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.
So, depending on the use case, if using tcp state and tcp prev-state an existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.
Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match the ruledef because proxy state would not be applicable.
[ no ] tcp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
The following command defines a rule expression to match user traffic based on TCP session length of 2000 bytes:
[ no ] tcp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.
The following command defines a rule expression to analyze user traffic matching TCP source port 10:
[ no ] tcp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] tcp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
This configuration is treated in a special manner by the rule matching engine in that it is excluded from the condition multi-line-or all-lines. For example, if there are three rule-lines in a ruledef and multi-line-or is enabled as follows:
In this case, if for a packet only the rule line tethering-detection flow-tethered matches, it is not sufficient to result in a rule match even though multi-line-or all-lines is enabled in the ruledef.
[ no ] tftp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
[ no ] tftp data-any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
[ no ] udp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] udp downlink operator condition
operator must be one of the following:
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] udp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.
[ no ] udp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.
hex-signature hex_string
hex_string must be a dash-delimited list of hex data of size smaller than 32.
string-signature string
string must be an alphanumeric string of 1 through 32 characters.
[ no ] udp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
Specifies the port map for the port range. port_map_name must be an alphanumeric string of 1 through 63 characters.
The following command defines a rule expression to match source port number 10 in UDP headers:
[ no ] udp uplink operator condition
operator must be one of the following:
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] wsp domain [ case-sensitive ] operator domain
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
domain must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match user traffic based on domain name testdomain:
[ no ] wsp downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp first-request-packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp host [ case-sensitive ] operator host_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
host_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
The following command defines a rule expression to match host name host1 in WSP headers:
[ no ] wsp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 1 through 65535.
The following command defines a rule expression to match user traffic based on WSP PDU length of 10000 bytes:
[ no ] wsp pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] wsp previous-state operator wsp_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
wsp_previous_state must be one of the following:
|
•
|
[ no ] wsp reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 0 through 101.
[ no ] wsp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: less than equals
|
|
•
|
=: Equals
|
|
•
|
>=: greater than equals
|
session_length must be an integer from 1 through 65535.
[ no ] wsp session-management { previous-state | state } operator state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match previous WSP Session Management state of connecting:
[ no ] wsp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
This command has been deprecated. See the wsp reply-codecommand.
[ no ] wsp tid operator transaction_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
transaction_id must be an integer from 0 through 255.
The following command defines a rule expression to match a TID value of 22 for connection-less WSP:
This command has been deprecated. See the wsp session-length command.
[ no ] wsp transfer-encoding [ case-sensitive ] operator transfer_encoding
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
The following command defines a rule expression to match user traffic based on WSP transfer encoding 7:
[ no ] wsp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match user traffic based on WSP URL wsp://wiki.tcl.tk:
[ no ] wsp user-agent [ case-sensitive ] operator user_agent
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_agent must be an alphanumeric string of 1 through 127 characters.
The following command defines a rule expression to match value test in user agent field in WSP headers:
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
The following command defines a rule expression to analyze user traffic containing WSP extension-header of test_field and value of test_string:
[ no ] wtp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp gtr operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_length must be an integer from 1 through 65535.
[ no ] wtp pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] wtp previous-state operator wtp_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
wtp_previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on WTP previous state of ack-sent:
[ no ] wtp rid operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on current WTP state close:
[ no ] wtp tid operator transaction_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
transaction_id must be an integer from 0 through 65535.
The following command defines a rule expression to match user traffic containing WTP TID value of 22:
[ no ] wtp transaction class operator transaction_class
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
transaction_class must be an integer from 0 through 2.
The following command defines a rule expression to match WTP traffic based on WTP transaction class 2:
[ no ] wtp ttr operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] www domain [ case-sensitive ] operator domain
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
domain must be an alphanumeric string of 1 through 127 characters.
Use this command to define rule expressions to match the domain portion of URIs in WSP/HTTP packets.
The following command defines a rule expression to match user traffic based on domain name testdomain:
[ no ] www downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www first-request-packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www header-length operator header_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
Specifies the WWW packet header length (in bytes) to match, header_length must be an integer from 0 through 65535.
The following command defines a rule expression to match user traffic based on WWW packet header length of 10000 bytes:
[ no ] www host [ case-sensitive ] operator host_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
host_name must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] www payload-length operator payload_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
payload_length must be an integer from 1 through 4000000000.
The following command defines a rule expression to match user traffic based on WWW payload length of 10000:
[ no ] www pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 0 through 65535.
The following command defines a rule expression to match user traffic based on WWW PDU length of 9767 bytes:
[ no ] www previous-state operator www_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
www_previous_state must be one of the following:
|
•
|
The following command defines a rule expression to match user traffic based on WWW previous state init:
[ no ] www reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
The following command defines a rule expression to analyze WWW user traffic based on reply code of 125:
[ no ] www state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
The following command defines a rule expression to match user traffic based on the current WWW state close:
[ no ] www transfer-encoding [ case-sensitive ] operator transfer_encoding
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
transfer_encoding must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
[ no ] www url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alphanumeric string of 1 through 127 characters and may contain punctuation characters.
