Important: Up to 10 rule expressions can be configured in one ruledef.
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
Important: This command is available only in 8.1 and later releases.[ no ] bearer 3gpp apn [ case-sensitive ] operator apn_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
apn_name must be an alpha and/or numeric string of 1 through 62 characters in length, and can contain punctuation characters.
bearer 3gpp apn = apn12
Important: This command is available only in 8.1 and later releases.operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
{ !range | range } imsi-pool imsi_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
imsi-pool imsi_pool_name: Specifies name of the IMSI pool.
imsi_pool_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to analyze user traffic for the IMSI number 9198838330912:
bearer 3gpp imsi = 9198838330912
Important: This command is available only in 8.1 and later releases.[ no ] bearer 3gpp rat-type operator rat_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
rat_type must be one of the following:
|
•
|
geran: GSM EDGE Radio Access Network type
|
|
•
|
utran: UMTS Terrestrial Radio Access Network type
|
|
•
|
wlan: Wireless LAN type
|
Important: This command is available only in 8.1 and later releases.[ no ] bearer 3gpp sgsn-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
ip_address must be an SGSN IP address expressed in standard IPv4 or IPv6 dotted decimal notation.
Use this command to define rule expressions to match IP address of SGSN node. This command replaces the bearer sgsn-address command.
bearer 3gpp sgsn-address = 1.1.1.1
[ no ] bearer 3gpp2 bsid [ case-sensitive ] use-group-of-objects operator string
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
If the use-group-of-objects keyword is not included in the command, string specifies name of the matching 3GPP2 service Base Station ID (BSID) in bearer flow.
If the use-group-of-objects keyword is included in the command, string must be the name of the group-of-objects to use. In this case, it is checked if the rule is satisfied for either one or none of the objects in the group-of-objects depending upon the operator used. For example, if the operator used is contains, the expression would be true if any of the objects in the specified object group is contained in the BSID. If the operator is !contains, then the expression would be true if none of the objects in the object group is contained in the BSID.
string must be an alpha and/or numeric string of 1 through 16 characters in length, and can contain punctuation characters.
The following command defines a rule expression to analyze user traffic for 3GPP2 BSID named bs001_xyz:
bearer 3gpp2 bsid = bs001_xyz
[ no ] bearer 3gpp2 service-option operator service_option_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
service_option_code must be an integer from 0 through 1000.
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp apn command.[ no ] bearer apn [ case-sensitive ] operator apn_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
apn_name must be an alpha and/or numeric string of 1 through 62 characters in length, and can contain punctuation characters.
bearer apn = apn12
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp imsi command.operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
{ !range | range } imsi-pool imsi_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
imsi-pool imsi_pool_name: Specifies name of the IMSI pool.
imsi_pool_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to match user traffic based on IMSI number 9198838330912:
bearer imsi = 9198838330912
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp rat-type command.[ no ] bearer rat-type operator rat_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
rat_type must be one of the following:
|
•
|
geran: GSM EDGE Radio Access Network type
|
|
•
|
utran: UMTS Terrestrial Radio Access Network type
|
|
•
|
wlan: Wireless LAN type
|
Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp sgsn-address command.[ no ] bearer sgsn-address operator address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
address must be an SGSN IP address expressed in standard IPv4 or IPv6 notation.
The following command defines a rule expression to match user traffic based on SGSN node IP address 1.1.1.1:
bearer sgsn-address = 1.1.1.1
Important: This functionality is available only if the Content Access Control [699-00-0011] license has been installed on the chassis. [ no ] bearer traffic-group operator group_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
group_number must be an integer from 1 through 255.
Use this command to define rule expressions to match traffic group value. See the fa-ha-spi command in the HA Service Configuration Mode Commands chapter for more information.
This command specifies the quota state of a subscriber for prepaid credit control service. Release 12.0 onwards, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to ACS Rulebase Configuration Mode Commands chapter in this guide.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
The following command defines a rule expression to match user traffic based on CCA quota state limit-reached:
This command defines rule expressions to match the redirect-indicator state of the credit control application. Release 12.0 onwards, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to ACS Rulebase Configuration Mode Commands chapter in this guide.
[ no ] cca redirect-indicator operator redirect_indicator
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
redirect_indicator must be an integer from 0 through 4294967295.
Important: For the RADIUS server configured with different values to return for this AVP the ACS requires rule definitions to match the different values for system to associate with charging actions that have different redirect URLs configured.Following command defines a rule expression to match redirect indicator 1234 for URL redirect AVP:
[ no ] dns answer-name [ case-sensitive ] operator value
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
value must be an alpha and/or numeric string of 1 through 255 characters in length, and can contain punctuation characters.
dns answer-name = test
[ no ] dns any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] dns previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
|
•
|
[ no ] dns query-name [ case-sensitive ] operator query_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
query_name must be an alpha and/or numeric string of 1 through 255 characters in length, and can contain punctuation characters.
dns query-name = test
[ no ] dns return-code operator return_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
return_code must be one of the following:
|
•
|
|
•
|
[ no ] dns state operator dns_current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
dns_current_state must be one of the following:
|
•
|
|
•
|
[ no ] dns tid operator tid_value
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
tid_value must be an integer from 1 through 65535.
dns tid = test
[ no ] email { cc | content { class | type } | from | size | subject | to } [ case-sensitive ] operator value
operator must be one of the following except for size:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
operator must be one of the following for size:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
The value of the specified field. value must be an alpha and/or numeric string (allows punctuation characters) as follows:
|
•
|
cc: A string of 1 through 512 characters in length
|
|
•
|
content: A string of 1 through 128 characters in length
|
|
•
|
from: A string of 1 through 64 characters in length
|
|
•
|
size: A range of bytes from 1 through 4000000000 bytes
|
|
•
|
subject: A string of 1 through 128 characters in length
|
|
•
|
to: A string of 1 through 512 characters in length
|
The following command defines a rule expression to analyze user traffic for the occurrence of triangle in the “cc” field of e-mail messages:
email cc contains triangle@xyz.com
[ no ] file-transfer any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] file-transfer chunk-number operator chunks_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
chunks_number must be an integer from 1 through 65535.
The following command defines a rule expression to match 150 number of chunks:
[ no ] file-transfer current-chunk-length operator current_chunk_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
current_chunk_length must be an integer from 1 through 40000000.
The following command defines a rule expression to match length of current HTTP chunk as 1500000 bytes:
[ no ] file-transfer declared-chunk-length operator declared_chunk_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
declared_chunk_length must be an integer from 1 through 40000000.
The following command defines a rule expression to match declared length of current HTTP chunk as 2500000 bytes:
[ no ] file-transfer declared-file-size operator declared_file_size
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
declared_file_size must be an integer from 1 through 40000000.
[ no ] file-transfer filename [ case-sensitive ] operator file_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
file_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
[ no ] file-transfer previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
init: Specifies previous state as initialization.
|
|
•
|
request-sent: Specifies previous state as request sent.
|
|
•
|
transfer-error: Specifies previous state as transfer error.
|
|
•
|
transfer-ok: Specifies previous state as transfer ok.
|
[ no ] file-transfer state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following
|
•
|
init: Specifies current state as initialization.
|
|
•
|
request-sent: Specifies current state as request sent.
|
|
•
|
transfer-error: Specifies current state as transfer error.
|
|
•
|
transfer-ok: Specifies current state as transfer ok.
|
[ no ] file-transfer transferred-file-size operator file_transferred_size
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
file_transferred_size must be an integer from 1 through 4000000000.
[ no ] ftp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ftp client-ip-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address must be the client’s IP address expressed in IPv4 dotted decimal or IPv6 colon notation.
ftp client-ip-address = 1.1.1.1
[ no ] ftp client-port operator port_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
[ no ] ftp command args [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be a string of 1 through 127 characters in length.
The following command defines a rule expression to match argument test with FTP command:
ftp command args = test
[ no ] ftp command id operator command_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 9.0 and later releases, command_id must be an integer from 0 through 18.
In 8.3 and earlier releases, command_id must be an integer from 0 through 15.
[ no ] ftp command name operator command_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command_name must be one of the following:
|
•
|
abor: Abort command
|
|
•
|
cwd: Current working directory command
|
|
•
|
eprt: eprt command
|
|
•
|
epsv: epsv command
|
|
•
|
list: List command
|
|
•
|
mode: Transfer mode command
|
|
•
|
pass: Password command
|
|
•
|
pasv: Passive command
|
|
•
|
port: Port command
|
|
•
|
quit: Quit command
|
|
•
|
rest: Restore command
|
|
•
|
retr: Retry command
|
|
•
|
stor: Store command
|
|
•
|
stru: File structure command
|
|
•
|
syst: System command
|
|
•
|
type: Type command
|
|
•
|
user: User command
|
[ no ] ftp connection-type operator connection_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
connection_type must be one of the following:
|
•
|
0: Unknown
|
|
•
|
1: Control connection
|
|
•
|
2: Data connection
|
[ no ] ftp data-any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ftp filename [ case-sensitive ] operator file_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
file_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
ftp filename = test
[ no ] ftp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 0 through 65535.
ftp pdu-length = 9647
[ no ] ftp pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_type must be one of the following:
|
•
|
0: Unknown
|
|
•
|
1: Command
|
|
•
|
2: Reply
|
[ no ] ftp previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
[ no ] ftp reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
ftp reply code = 199
[ no ] ftp server-ip-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address must be expressed in IPv4 decimal notation or IPv6 colon notation.
ftp server-ip-address = 1.1.1.1
[ no ] ftp server-port operator port
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port must be an integer from 1 through 65535.
This command defines rule expressions to match total number of bytes sent on FTP control connection.
[ no ] ftp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
ftp session-length = 40000
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
[ no ] ftp url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match the URL ftp://rfc.ietf.org/rfc/rfc1738.txt:
ftp url = ftp://rfc.ietf.org/rfc/rfc1738.txt
[ no ] ftp user [ case-sensitive ] operator ftp_user
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
ftp_user must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
ftp user = user1
[ no ] http any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
name_of_value must be an alpha and/or numeric string of 1 through 31 characters in length.
value must be an alpha and/or numeric string of 1 through 127 characters in length.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
name_of_value must be an alpha and/or numeric string of 1 through 31 characters in length.
value must be an alpha and/or numeric string of 1 through 127 characters in length.
[ no ] http content disposition [ case-sensitive ] operator content_disposition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_disposition must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
http content disposition = successful
[ no ] http content length operator content_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
content_length must be an integer from 1 through 4000000000.
http content length = 10000
[ no ] http content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
http content type = abc100
[ no ] http domain [ case-sensitive ] operator domain
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
domain must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match user traffic based on domain name testdomain:
http domain = testdomain
[ no ] http error operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on HTTP error status of TRUE:
[ no ] http first-request-packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] http header-length operator header_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
header_length must be an integer from 0 through 65535.
http header-length = 10000
[ no ] http host [ case-sensitive ] operator host_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
host_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
http host = host1
[ no ] http payload-length operator payload_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
payload_length must be an integer from 1 through 4000000000.
http payload-length = 10000
[ no ] http pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 0 through 65535.
http pdu-length = 10000
[ no ] http previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
init: Initialized state
|
|
•
|
response-error: Response error state
|
|
•
|
response-ok: Response ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
[ no ] http referer [ case-sensitive ] operator referer_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
referer_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match HTTP referer cricket.espn.com:
http referer = cricket.espn.com
[ no ] http reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
[ no ] http request method operator request_method
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
request_method must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on HTTP request method connect:
[ no ] http session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
http session-length = 200000
[ no ] http state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
close: Closed state
|
|
•
|
response-error: Response error state
|
|
•
|
response-ok: Response ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
[ no ] http transaction-length { operator transaction_length | { { range | !range } range_from to range_to } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
transaction_length must be an integer from 1 through 4000000000.
|
•
|
range: Enables the range criteria for HTTP transaction length.
|
|
•
|
!range: Disables the range criteria for HTTP transaction length.
|
|
•
|
range_from: Specifies the start of range, in bytes, for HTTP transaction length.
|
|
•
|
range_to: Specifies the end of range, in bytes, for HTTP transaction length.
|
[ no ] http transfer-encoding [ case-sensitive ] operator transfer_encoding
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
transfer_encoding must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
Use this command to define rule expressions to match transfer encoding field of HTTP general header.
http transfer-encoding = user1
[ no ] http uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.
The following command defines a rule expression to match HTTP URI string http://www.somehost.com:
http uri = http://www.somehost.com
[ no ] http url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alpha and/or numeric string of 1 through 127 characters in length. url allows punctuation characters and includes “host + URI” for HTTP PDUs.
The following command defines a rule expression to match HTTP URL http://rfc.ietf.org/rfc/rfc1738.txt:
http url = http://rfc.ietf.org/rfc/rfc1738.txt
[ no ] http user-agent [ case-sensitive ] operator user_agent
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_agent must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
http user-agent = xyz.123
[ no ] http version [ case-sensitive ] operator http_version
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
http_version must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
http version = http4.2
name_of_field must be an alpha and/or numeric string of 1 through 31 characters in length.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match extension-header test_field for value of test_string:
[ no ] icmp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] icmp code operator code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
code must be an integer from 0 through 255.
icmp code = 23
[ no ] icmp type operator type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
type must be an integer from 0 through 255. For example, 0 for ECHO Reply, 3 for Destination Unreachable, and 5 for Redirect.
icmp type = 123
[ no ] icmpv6 any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] icmpv6 code operator code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
code must be an integer from 0 through 255.
[ no ] icmpv6 type operator type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
type must be an integer from 0 through 255. For example, 0 for ECHO Reply, 3 for Destination Unreachable, and 5 for Redirect.
icmpv6 type = 123
This is the same as the rule expression http any-match = true.
This is the same as requiring “wsp any-match = true” but “wtp any-match = false” (that is, connection-less WAP1.x).
This is the same as the combined rule expression “wsp any-match = true” and “wtp any-match = true” (that is, connection-oriented WAP1.x).
content-id content_id
content_id must be an integer from 1 through 65535.
This command is only effective for charging ruledefs. See the rule-application CLI command for information on how to configure charging ruledefs.
Presumably, the ruledef would have another configurable like “www url contains foo", which would cause to use different content IDs when "foo" was accessed, depending upon the protocol being used.
[ no ] imap any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] imap cc [ case-sensitive ] operator cc_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
cc_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match recipient address triangle@xyz.com in the “cc” field of e-mails in IMAP messages:
imap cc contains triangle@xyz.com
[ no ] imap command operator command
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match close command in IMAP messages:
[ no ] imap content class [ case-sensitive ] operator content_class
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_class must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to analyze user traffic matching content class javax.mail.internet.MimeMultipart in the “content-class” field of e-mails in the IMAP messages:
imap content class contains javax.mail.internet.MimeMultipart
[ no ] imap content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to analyze user traffic matching content type TEXT/plain; charset=iso-8859-1 in the ‘content-type’ field of e-mails in IMAP messages:
imap content type contains TEXT/plain; charset=iso-8859-1
[ no ] imap date [ case-sensitive ] operator date
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
date must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to analyze user traffic matching date Fri, 21 Nov 1997 11:00:00 -0600 in the “date” field of e-mails in IMAP messages:
imap date contains Fri, 21 Nov 1997 11:00:00 -0600
[ no ] imap final-reply operator final_reply
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
final_reply must be one of the following:
|
•
|
bad: Final reply is invalid or bad.
|
|
•
|
no: There is no final reply.
|
|
•
|
ok: Final reply is valid.
|
The following command defines a rule expression to analyze user traffic matching the final-reply condition bad in the last IMAP final-reply message:
[ no ] imap from [ case-sensitive ] operator from_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
from_address must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to analyze user traffic matching triangle in the “from” field of e-mails in the IMAP messages:
imap from contains triangle
[ no ] imap mail-size operator mail_size
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
mail_size must be an integer from 0 through 4000000000.
The following command defines a rule expression to match e-mail size less than or equal to 23400 bytes:
imap mail-size <= 23400
[ no ] imap mailbox-size operator number_of_email
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
number_of_email must be an integer from 0 through 65535.
The following command defines a rule expression to match less than or equal to 1024 number of e-mail messages in a mailbox:
imap mailbox-size <= 1024
[ no ] imap message-type operator message_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
message_type must be one of the following:
|
•
|
command-continuation-reply: Message with command-continuation-reply type.
|
|
•
|
final-reply: Message is of final reply type.
|
|
•
|
request: There is of request type.
|
|
•
|
untagged-reply: Message of reply type, but without any tag.
|
[ no ] imap previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
init: Message in initialization state.
|
|
•
|
request-sent: Message in request-sent state.
|
[ no ] imap session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
The following command defines a rule expression to match IMAP session length less than or equal to 4000 bytes:
[ no ] imap session-previous-state operator session_previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
session_previous_state must be one of the following:
|
•
|
authenticated: Session authenticated
|
|
•
|
connected: Session connected
|
|
•
|
init: Session initialized
|
|
•
|
mailbox-selected: Mailbox selected
|
[ no ] imap session-state operator session_current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
state must be one of the following:
|
•
|
authenticated: Session authenticating.
|
|
•
|
connected: Session connecting.
|
|
•
|
logout: Session logged out.
|
|
•
|
mailbox-selected: Mailbox selecting.
|
[ no ] imap state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
request-sent: Request message sent
|
|
•
|
response-fail: Request response failed
|
|
•
|
response-ok: Request response is good
|
[ no ] imap subject [ case-sensitive ] operator subject
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
subject must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines rule expression to match occurrence of the string My test in the “subject” field of e-mails in IMAP message:
imap subject contains My test
[ no ] imap to [ case-sensitive ] operator to
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
to must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to analyze user traffic matching the occurrence xyz.com in the “to” field of e-mails in the IMAP message:
imap to contains xyz.com
[ no ] ip any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ip downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ip dst-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to logically match the IP destination address.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies IP address of the destination node for outgoing traffic in IPv4 or IPv6 standard notation. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.
ip_address/mask: Specifies IP address of the destination node for outgoing traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.
ip dst-address = 1.1.1.1
[ no ] ip error operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals—available only in 8.1 and later releases
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals—available only in 8.1 and later releases
|
protocol_assignment must be an integer from 0 through 255.
Specifies the protocol by name. protocol must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] ip server-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to logically match the server IP address. operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies the server IP address in IPv4 or IPv6 standard notation. For uplink packets (from subscriber) this field matches the destination IP address in the IP header, and for downlink packets (to the subscriber) it matches the source IP address in IP header. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.
ip_address/mask: Specifies the server IP address in IPv4 or IPv6 standard notation with subnet mask bit. For uplink packets (from subscriber) this field matches the destination IP address in the IP header, and for downlink packets (to the subscriber) it matches the source IP address in IP header. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to match user traffic based on IP server address 1.1.1.1:
ip server-ip-address = 1.1.1.1
[ no ] ip src-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to logically match the IP source address.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies IP address of the source node for incoming traffic in IPv4 or IPv6 standard notation. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.
ip_address/mask: Specifies IP address of the source node for incoming traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to match user traffic based on IP source address 1.1.1.1:
ip src-address = 1.1.1.1
[ no ] ip subscriber-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }
operator: Specifies how to logically match the subscriber IP address.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
ip_address: Specifies the subscriber IP address. Depending on the direction of packet this IP address will be either the IP source address or the IP destination address. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.
ip_address/mask: Specifies the subscriber IP address with subnet mask bit. Depending on the direction of packet this IP address will either be the IP source address or the IP destination address. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool_name
!range | range: Specifies the range criteria:
|
•
|
!range: Not in the range of
|
|
•
|
range: In the range of
|
host-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to match user traffic based on subscriber IP address 1.1.1.1:
ip subscriber-ip-address = 1.1.1.1
[ no ] ip total-length operator total_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
total_length must be an integer from 0 through 4096.
The following command defines a rule expression to match user traffic based on IP total length of 2000 bytes:
ip total-length = 2000
[ no ] ip uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] ip version operator ip_version
operator must be = (equals).
ip_version must be one of the following:
|
•
|
|
•
|
[ no ] mms any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] mms bcc [ case-sensitive ] operator bcc_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
bcc_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match recipient address containing test1 in “bcc” field of MMS messages:
mms bcc contains test1
[ no ] mms cc [ case-sensitive ] operator cc_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
cc_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match recipient address containing test1 in the “cc” field of MMS messages:
mms cc contains test1
[ no ] mms content location [ case-sensitive ] operator string
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match test1 in content-location field of MMS messages:
[ no ] mms content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match image in content-type field of MMS messages:
[ no ] mms downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] mms from [ case-sensitive ] operator from_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
from_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match test1 in the “from” field of MMS messages:
mms from contains test1
[ no ] mms message-id [ case-sensitive ] operator message_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
message_id must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match test1 in the “message ID” field of MMS messages:
mms message-id contains test1
[ no ] mms pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
|
•
|
mms-pdu-type-response: This option is deprecated. Use the mms_pdu_type_m_retrieve_conf option instead.
|
The following command defines a rule expression to match PDU type mms-pdu-type-m-http-get in the current MMS packet:
[ no ] mms previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
|
|
•
|
delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
|
|
•
|
delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
|
•
|
m-send-conf-rcvd: This option is deprecated, use send-success.
|
The following command defines a rule expression to match user traffic based on MMS previous state of retrieval-pending:
[ no ] mms response status operator status_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
status_code must be an integer from 128 through 136.
[ no ] mms state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
|
|
•
|
delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
|
|
•
|
delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
|
|
•
|
m-send-conf-rcvd: This option is deprecated, use send-success.
|
The following command defines a rule expression to match user traffic based on current state of MMS session as retrieval-failed:
[ no ] mms status operator status
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
status must be an integer from 128 through 132.
The following command defines a rule expression to match user traffic based on MMS current status 130:
mms status = 130
[ no ] mms subject [ case-sensitive ] operator subject_string
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
subject_string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match test1 in “subject” field of MMS messages:
mms subject contains test1
[ no ] mms tid [ case-sensitive ] operator transaction_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
transaction_id must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match test in TID field of MMS messages:
mms tid = test
[ no ] mms to [ case-sensitive ] operator to_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
to_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match user traffic based on test in “to” field of MMS messages:
mms to = test
[ no ] mms uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must one of the following:
|
•
|
|
•
|
[ no ] mms version operator version
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
version must be an integer from 1 through 65535.
Important: MMS protocol analyzer supports decoding of only MMS version 1.0.The following command defines a rule expression to match MMS version 1.0 in MMS packets:
mms version = 1.0
When a ruledef is evaluated, if the multi-line-or all-lines command is configured, the logical OR operator is applied to all the rule expressions in the ruledef to decide if the ruledef matches or not. If the multi-line-or all-lines command is not configured, the logical AND operator is applied to all the rule expressions.
[ no ] p2p any-match operator condition
operator must be one of the following:
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
TRUE: The rule matches any P2P traffic.
|
|
•
|
FALSE: The rule does not match any P2P traffic.
|
[ no ] p2p protocol operator protocol
operator must be = (equals).
protocol must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Important: The facetime protocol is available only in 9.0 and in 11.0 and later releases.|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Important: The gamekit protocol is available only in 9.0 and in 11.0 and later releases.|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Use this command to define rule expressions to detect P2P protocols for charging purposes. For detection purposes use the p2p-detection protocol command in the ACS Configuration Mode.
[ no ] p2p traffic-type operator traffic_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
In 11.0 and later releases, traffic_type must be one of the following:
|
•
|
|
•
|
[ no ] pop3 any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] pop3 command args [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alpha and/or numeric string of 1 through 40 characters in length, and can contain punctuation characters.
pop3 command args = test
[ no ] pop3 command id operator command_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
command_id must be an integer from 1 through 12.
[ no ] pop3 command name operator command_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command_name must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match the command list sent with POP3 packets:
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range, and must be an integer from 1 through 4000000000.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 1 through 4000000000, and must be greater than range_from.
|
mail_size must be an integer from 1 through 4000000000.
pop3 mail-size = 40000
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range, and must be an integer from 0 through 65535.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 0 through 65535, and must be greater than range_from.
|
pdu_length must be an integer from 0 through 65535.
pop3 pdu-length = 1000
[ no ] pop3 pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
[ no ] pop3 previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
connected: Connected state
|
|
•
|
data transaction: Data transaction state
|
|
•
|
init: Initialized state
|
|
•
|
reply-error: Reply error state
|
|
•
|
reply-ok: Response ok state
|
|
•
|
waiting-for-reply: Waiting for reply state
|
The following command defines a rule expression to match user traffic for POP3 previous state of connected:
[ no ] pop3 reply args [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alpha and/or numeric string of 1 through 512 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match the argument test with POP3 replies:
pop3 reply args = test
[ no ] pop3 reply id operator reply_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_id must be one of the following:
|
•
|
0: Unknown reply
|
|
•
|
1: +OK
|
|
•
|
2: -Error
|
[ no ] pop3 reply status operator reply_status
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_status must be one of the following:
|
•
|
+OK: Reply OK
|
|
•
|
-ERR: Reply error
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 4000000000.
|
•
|
range: Enables the range criteria for POP3 session length.
|
|
•
|
!range: Disables the range criteria for POP3 session length.
|
|
•
|
range_from: Specifies the start of range of POP3 session length, and must be an integer from 1 through 4000000000 but less than or equal to range_to.
|
|
•
|
range_to: Specifies the end of range of POP3 session length, and must be an integer from 1 through 4000000000 but greater than or equal to range_from.
|
pop3 session-length = 40000
[ no ] pop3 state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
[ no ] pop3 user-name [ case-sensitive ] operator user_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_name must be an alpha and/or numeric string of 1 through 64 characters in length, and can contain punctuation characters.
pop3 user-name = test
[ no ] pptp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] pptp ctrl-msg-type = message_type
The following command configures echo-reply message type to control traffic:
[ no ] pptp gre any-match = condition
condition must be one of the following:
|
•
|
|
•
|
[ no ] rtcp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
TRUE: The rule matches any RTCP traffic
|
|
•
|
FALSE: The rule does not match any RTCP traffic
|
[ no ] rtcp jitter operator jitter
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
jitter must be an integer from 0 through 4294967295.
rtcp jitter >= 12954
Important: This command is available only in 8.1 and 9.0 and later releases.[ no ] rtcp parent-proto operator parent_protocol
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
parent_protocol must be one of the following:
|
•
|
rtsp: Real Time Streaming Protocol
|
|
•
|
sip: Session Initiation Protocol
|
[ no ] rtcp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, pdu_length must be an integer from 1 through 65535.
In 8.0, pdu_length must be an integer from 1 through 2000.
The following command defines a rule expression to match user traffic based on RTCP PDU length of 10000 bytes:
rtcp pdu-length = 10000
[ no ] rtcp rtsp-id [ case-sensitive ] operator rtsp_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
rtsp_id must be an alpha and/or numeric string of 1 through 32 characters in length.
The following command defines a rule expression to match user traffic containing RTSP message ID of test1:
rtcp rtsp-id contains test1
[ no ] rtcp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, session_length must be an integer from 1 through 4000000000. In 8.0, session_length must be an integer from 1 through 40000000.
rtcp session-length = 200000
[ no ] rtcp uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match user traffic for RTCP URI rtsp://www.example.org:
rtcp uri = rtsp://www.example.org
[ no ] rtp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
Important: This command is available only in 8.1 and in 9.0 and later releases.[ no ] rtp parent-proto operator parent_protocol
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
parent_protocol must be one of the following:
|
•
|
rtsp: Real Time Streaming Protocol
|
|
•
|
sip: Session Initiation Protocol
|
[ no ] rtp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, pdu_length must be an integer from 1 through 65535. In 8.0, pdu_length must be an integer from 1 through 2000.
rtp pdu-length = 1000
[ no ] rtp rtsp-id [ case-sensitive ] operator rtsp_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
rtsp_id must be an alpha and/or numeric string of 1 through 32 characters in length.
rtp rtsp-id contains test1
[ no ] rtp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
In 8.1 and later releases, session_length must be an integer from 1 through 4000000000.
In release 8.0, session_length must be an integer from 1 through 40000000.
rtp session-length = 200000
[ no ] rtp uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.
The following command defines a rule expression to match the RTP URI string rtsp://www.example.org:
rtp uri = rtsp://www.example.org
[ no ] rtsp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] rtsp content length operator content_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
content_length must be an integer from 0 through 65535.
The following command defines a rule expression to match content length of 10000 in RTSP headers:
rtsp content length = 10000
[ no ] rtsp content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
rtsp content type = abc100
[ no ] rtsp date [ case-sensitive ] operator date
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
date must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match the date 12_04_2006 in RTSP message headers:
rtsp date = 12_04_2006
[ no ] rtsp previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] rtsp reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
[ no ] rtsp request method operator request_method
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
request_method must be one of the following requests:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] rtsp request packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
TRUE: Is request
|
|
•
|
FALSE: Is response
|
[ no ] rtsp rtp-seq operator sequence_number
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
sequence_number must be an alpha and/or numeric string of 0 through 65535 characters in Normal Play Time (NPT) time format.
rtsp rtp-seq = 2348
This command defines rule expressions to match the “time” field in RTP-Info header of RTSP response.
[ no ] rtsp rtp-time operator time
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
time must be an alpha and/or numeric string of 1 through 2147483647 characters in Normal Play Time (NPT) time format.
rtsp rtp-time = 19970123T153600Z
[ no ] rtsp rtp-uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.
The following command defines a rule expression to match user traffic based on RTP-URI string rtsp://www.foo.com in the RTP-info header of RTSP packet:
rtsp rtp-uri = rtsp://www.foo.com
[ no ] rtsp session-id [ case-sensitive ] operator session_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
session_id must be an alpha and/or numeric string of 1 through 127 characters in length.
rtsp session-id = 0123abc100
[ no ] rtsp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 40000000.
[ no ] rtsp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] rtsp uri [ case-sensitive ] operator uri
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
uri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.
The following command defines a rule expression to match user traffic based on RTSP URI rtsp://www.example.com:554/twister/audiotrack:
rtsp uri = rtsp://www.example.com:554/twister/audiotrack
[ no ] rtsp uri sub-part { { absolute-path | host | query } [ case-sensitive ] operator string | port { port_operator port_value | { range | !range } range_from to range_to } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and it does not include the “host” portion.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_value must be an integer from 0 through 65535.
|
•
|
range: Enables the range criteria for RTSP flow ports.
|
|
•
|
!range: Disables the range criteria for RTSP flow ports.
|
|
•
|
range_from: Specifies the start of range of RTSP flow ports and value must be an integer from 0 through 65535 but less than or equal to range_to.
|
|
•
|
range_to: Specifies the end of range of RTSP flow ports and value must be an integer from 0 through 65535 but more than or equal to range_from.
|
The following command defines a URI sub part rule definition to analyze user traffic based on RTSP URI port number between 1023 and 1068:
[ no ] rtsp user-agent [ case-sensitive ] operator user_agent
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_agent must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match test in “user-agent” field of RTSP header:
rtsp user-agent = test
Important: The post-processing keyword is available only in 8.3 and later releases.
Important: The tpo keyword is available only in 12.2 and later releases.[ no ] sdp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] sdp connection-ip-address operator ip_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
ip_address must be expressed in IPv4 dotted decimal notation.
The following command defines a rule expression to match the IP address 1.1.1.1 in the connection field of SDP descriptions:
sdp connection-ip-address = 1.1.1.1
[ no ] sdp media-audio-port operator port
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
port must be an integer from 0 through 65535.
The following command defines a rule expression to match media audio port 100 in the media sections of SDP descriptions:
[ no ] sdp media-video-port operator port
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
port must be an integer from 0 through 65535.
The following command defines a rule expression to match media video port 100 in the media sections of SDP descriptions:
[ no ] sdp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Is not uplink
|
|
•
|
TRUE: Is uplink
|
[ no ] secure-http any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] secure-http uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Is not uplink
|
|
•
|
TRUE: Is uplink
|
[ no ] sip any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] sip call-id [ case-sensitive ] operator call_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
call_id must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match the call ID test in SIP messages:
sip call-id = test
[ no ] sip content length operator content_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
content_length must be an integer from 0 through 65535.
The following command defines a rule expression to match the content length 10000 in SIP headers:
sip content length = 10000
[ no ] sip content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match content type download_string in SIP headers:
sip content type = download_string
[ no ] sip from [ case-sensitive ] operator string
operator must be one of the following:
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match test1 in the “from” field in SIP messages:
sip from contains test1
[ no ] sip previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
The following command defines a rule expression to match user traffic based on the SIP previous state of request-sent:
[ no ] sip reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 699.
The following command defines a rule expression to match 150 in the reply code in SIP responses:
sip reply code = 150
[ no ] sip request method operator method
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
method must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match the method bye in SIP request messages:
[ no ] sip request packet operator condition
operator must be one of the following:
|
•
|
=: Equals
|
|
•
|
!=: Does not equal
|
condition must be one of the following:
|
•
|
FALSE: Is a response
|
|
•
|
TRUE: Is a request
|
[ no ] sip state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
The following command defines a rule expression to match user traffic based on SIP current state request-sent:
[ no ] sip to [ case-sensitive ] operator to_address
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
to_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match test1 in the “to” field of SIP messages:
sip to contains test1
[ no ] sip uri [ sub-part { headers | host | parameters | port | userinfo } ] [ case-sensitive ] operator uri
|
•
|
headers: Apply the rule to SIP URI header field.
|
|
•
|
host: Apply the rule the SIP URI host field.
|
|
•
|
parameters: Apply the rule to the SIP URI parameters field.
|
|
•
|
port: Apply the rule to the SIP URI port field.
|
|
•
|
userinfo: Apply the rule to the SIP URI userinfo field.
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
The string for sub-part keyword port must be an integer and requires different operators. Use the following operators with the port keyword:
|
•
|
!=: Does not equal
|
|
•
|
<=: Is less than
|
|
•
|
=: Equals
|
|
•
|
>=: Is greater than
|
uri must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The string for sub-part keyword port must be an integer from 0 through 65535.
The following command defines a rule expression to match the URI string sip:1.1.1.1:5060 in SIP messages:
sip uri = sip:1.1.1.1:5060
The following command defines a rule expression to match the URI string sip:nnnn@host:5060;user=phone in SIP messages:
sip uri = sip:nnnn@host:5060;user=phone
[ no ] smtp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] smtp command arguments [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
[ no ] smtp command id operator command_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
command_id must be an integer from 0 through 10.
[ no ] smtp command name operator command_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
command_name must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match data command in SMTP packets:
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
mail_size must be an integer from 1 through 40000000.
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range, and must be an integer from 1 through 40000000.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.
|
smtp mail-size = 40000
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 1 through 65535.
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range, and must be an integer from 1 through 65535.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 1 through 65535, and must be greater than range_from.
|
smtp pdu-length = 1600
[ no ] smtp previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
close: Closed state
|
|
•
|
init: Initialized state
|
|
•
|
response-error: Reply error state
|
|
•
|
response-ok: Response ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
The following command defines a rule expression to match user traffic based on SMTP previous state close:
[ no ] smtp recipient [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match recipient e-mail ID containing test in the current SMTP transaction:
[ no ] smtp reply arguments [ case-sensitive ] operator argument
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
argument must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match reply argument test in SMTP response:
[ no ] smtp reply id operator reply_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_id must be one of the following:
|
•
|
0: +NO reply
|
|
•
|
1: +OK reply
|
|
•
|
2: -ERR reply
|
The following command defines a rule expression to match reply ID 2 assigned to SMTP response:
[ no ] smtp reply status operator reply_status
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
reply_status must be one of the following:
|
•
|
+OK: Response OK
|
|
•
|
-ERR: Response error
|
The following command defines a rule expression to match reply status +OK in SMTP packets:
[ no ] smtp sender [ case-sensitive ] operator sender
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
sender must be an alpha/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match sender e-mail ID containing test in the current SMTP transaction:
smtp sender contains test
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 1 through 40000000.
|
•
|
range: Enables the range criteria.
|
|
•
|
!range: Disables the range criteria.
|
|
•
|
range_from: Specifies the start of range, and must be an integer from 1 through 40000000.
|
|
•
|
range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.
|
smtp session-length = 4000000
[ no ] smtp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
close: Closed state
|
|
•
|
init: Initialized state
|
|
•
|
response-error: Response of error state
|
|
•
|
response-ok: Response of ok state
|
|
•
|
waiting-for-response: Waiting for response state
|
The following command defines a rule expression to match current state as close of SMTP command session:
[ no ] tcp analyzed out-of-order operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
[ no ] tcp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
The following command defines a rule expression to match user traffic based on TCP connection initiator subscriber:
[ no ] tcp downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] tcp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
port_map_name must be a string of 1 through 63 characters in length.
[ no ] tcp duplicate operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not duplicated/retransmitted
|
|
•
|
TRUE: Duplicated/retransmitted
|
[ no ] tcp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
port_map_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to match destination/source port number 10 in TCP header:
[ no ] tcp error operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] tcp flag operator flag
operator must be one of the following:
|
•
|
!contains: Does not contain
|
|
•
|
contains: Contains
|
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
flag must be one of the following:
|
•
|
ack: TCP FLAG ACK
|
|
•
|
fin: TCP FLAG FIN
|
|
•
|
push: TCP FLAG PUSH
|
|
•
|
reset: TCP FLAG RESET
|
|
•
|
syn: TCP FLAG SYN
|
The following command defines a rule expression to match reset within flag field of TCP headers:
[ no ] tcp initial-handshake-lost operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
hex-signature hex_string
hex_string must be a dash-delimited list of hex data of size smaller than 32.
string-signature string
string must be a string of 1 through 32 characters in length.
[ no ] tcp payload-length operator payload_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
payload_length must be an integer from 0 through 40000000.
tcp payload-length = 10000
[ no ] tcp previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on previous state time-wait:
[ no ] tcp proxy-prev-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on egress-side (if it is proxy-enabled flow).
tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.
So, depending on the use case, if using tcp state and tcp prev-state existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.
Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match ruledef because proxy state would not be applicable.
[ no ] tcp proxy-state operator state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on egress-side (if it is proxy-enabled flow).
tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.
So, depending on the use case, if using tcp state and tcp prev-state existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.
Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match ruledef because proxy state would not be applicable.
[ no ] tcp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
session_length must be an integer from 0 through 4000000000.
The following command defines a rule expression to match user traffic based on TCP session length of 2000 bytes:
tcp session-length = 2000
[ no ] tcp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
port_map_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to analyze user traffic matching TCP source port 10:
[ no ] tcp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] tcp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] tftp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
[ no ] tftp data-any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
FALSE: Not analyzed
|
|
•
|
TRUE: Analyzed
|
[ no ] udp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] udp downlink operator condition
operator must be one of the following:
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] udp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
|
•
|
start_range must be an integer from 1 through 65535.
|
|
•
|
end_range must be an integer from 1 through 65535, and must be greater than start_range.
|
port-map port_map_name
port_map_name must be a string of 1 through 63 characters in length.
[ no ] udp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
port_map_name must be a string of 1 through 63 characters in length.
hex-signature hex_string
hex_string must be a dash-delimited list of hex data of size smaller than 32.
string-signature string
string must be a string of 1 through 32 characters in length.
[ no ] udp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
port_number must be an integer from 1 through 65535.
|
•
|
!range: Not in the range
|
|
•
|
range: In the range
|
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map_name
port_map_name must be a string of 1 through 63 characters in length.
The following command defines a rule expression to match source port number 10 in UDP headers:
[ no ] udp uplink operator condition
operator must be one of the following:
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
wsp content type = test
[ no ] wsp domain [ case-sensitive ] operator domain
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
domain must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match user traffic based on domain name testdomain:
wsp domain = testdomain
[ no ] wsp downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp first-request-packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp host [ case-sensitive ] operator host_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
host_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
The following command defines a rule expression to match host name host1 in WSP headers:
wsp host contains host1
[ no ] wsp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 1 through 65535.
The following command defines a rule expression to match user traffic based on WSP PDU length of 10000 bytes:
wsp pdu-length = 10000
[ no ] wsp pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] wsp previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
[ no ] wsp reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 0 through 101.
[ no ] wsp session-length operator session_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: less than equals
|
|
•
|
=: Equals
|
|
•
|
>=: greater than equals
|
session_length must be an integer from 1 through 65535.
wsp session-length = 2000
[ no ] wsp session-management { previous-state | state } operator state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match previous WSP Session Management state of connecting:
[ no ] wsp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
[ no ] wsp tid operator transaction_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
transaction_id must be an integer from 0 through 255.
The following command defines a rule expression to match TID value of 22 for connection-less WSP:
wsp tid = 22
This command is deprecated, see the wsp session-length command.
[ no ] wsp transfer-encoding [ case-sensitive ] operator transfer_encoding
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
transfer_encoding must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match user traffic based on WSP transfer encoding 7:
[ no ] wsp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wsp url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match user traffic based on WSP URL wsp://wiki.tcl.tk:
wsp url = wsp://wiki.tcl.tk
[ no ] wsp user-agent [ case sensitive ] operator user_agent
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
user_agent must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match value test in user agent field in WSP headers:
name must be an alpha and/or numeric string of 1 through 31 characters in length.
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
string must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to analyze user traffic containing WSP extension-header of test_field and value of test_string:
wsp x-header test_field = test_string
[ no ] wtp any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
This command defines rule expressions to match Group Transmission (GTR) flag in the current WTP PDU.
[ no ] wtp gtr operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_length must be an integer from 1 through 65535.
wtp pdu-length = 9647
[ no ] wtp pdu-type operator pdu_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
pdu_type must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
[ no ] wtp previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on WTP previous state of ack-sent:
[ no ] wtp rid operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
|
•
|
|
•
|
|
•
|
The following command defines a rule expression to match user traffic based on current WTP state close:
[ no ] wtp tid operator transaction_id
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
transaction_id must be an integer from 0 through 65535.
The following command defines a rule expression to match user traffic containing WTP TID value of 22:
wtp tid = 22
[ no ] wtp transaction class operator transaction_class
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
transaction_class must be an integer from 0 through 2.
The following command defines a rule expression to match WTP traffic based on WTP transaction class 2:
[ no ] wtp ttr operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] wtp uplink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www any-match operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www content type [ case-sensitive ] operator content_type
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
content_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
www content type = test
[ no ] www domain [ case-sensitive ] operator domain
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
domain must be an alpha and/or numeric string of 1 through 127 characters in length.
The following command defines a rule expression to match user traffic based on domain name testdomain:
www domain = testdomain
[ no ] www downlink operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www first-request-packet operator condition
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
condition must be one of the following:
|
•
|
|
•
|
[ no ] www header-length operator header_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
header_length must be an integer from 0 through 65535.
The following command defines a rule expression to match user traffic based on WWW packet header length of 10000 bytes:
www header-length = 10000
[ no ] www host [ case-sensitive ] operator host_name
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
host_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
www host = host1
[ no ] www payload-length operator payload_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
payload_length must be an integer from 1 through 4000000000.
The following command defines a rule expression to match user traffic based on WWW payload length of 10000:
www payload-length = 10000
[ no ] www pdu-length operator pdu_length
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
pdu_length must be an integer from 0 through 65535.
The following command defines a rule expression to match user traffic based on WWW PDU length of 9767 bytes:
www pdu-length = 9767
[ no ] www previous-state operator previous_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
previous_state must be one of the following:
|
•
|
The following command defines a rule expression to match user traffic based on WWW previous state init:
[ no ] www reply code operator reply_code
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
<=: Lesser than or equals
|
|
•
|
=: Equals
|
|
•
|
>=: Greater than or equals
|
reply_code must be an integer from 100 through 599.
The following command defines a rule expression to analyze WWW user traffic based on reply code of 110:
www reply code = 110
[ no ] www state operator current_state
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
=: Equals
|
current_state must be one of the following:
|
•
|
The following command defines a rule expression to match user traffic based on the current WWW state close:
[ no ] www transfer-encoding [ case-sensitive ] operator transfer_encoding
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
transfer_encoding must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.
www transfer-encoding = user1
[ no ] www url [ case-sensitive ] operator url
operator must be one of the following:
|
•
|
!=: Does not equal
|
|
•
|
!contains: Does not contain
|
|
•
|
!ends-with: Does not end with
|
|
•
|
!starts-with: Does not start with
|
|
•
|
=: Equals
|
|
•
|
contains: Contains
|
|
•
|
ends-with: Ends with
|
|
•
|
starts-with: Starts with
|
url must be an alpha and/or numeric string of 1 through 127 characters in length.
www url = www.abc.com
