Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
[ no ] bearer 3gpp apn [ case-sensitive ] operator apn_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withapn_name must be an alpha and/or numeric string of 1 through 62 characters in length, and can contain punctuation characters.bearer 3gpp apn = apn12operator must be one of the following:
• !=: Does not equal
• =: Equals{ !range | range } imsi-pool imsi_pool_name!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofimsi-pool imsi_pool_name: Specifies name of the IMSI pool.imsi_pool_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to analyze user traffic for the IMSI number 9198838330912:bearer 3gpp imsi = 9198838330912[ no ] bearer 3gpp rat-type operator rat_typeoperator must be one of the following:
• !=: Does not equal
• =: Equalsrat_type must be one of the following:
• geran: GSM EDGE Radio Access Network type
• utran: UMTS Terrestrial Radio Access Network type
• wlan: Wireless LAN type[ no ] bearer 3gpp sgsn-address operator ip_addressoperator must be one of the following:
• !=: Does not equal
• =: Equalsip_address must be an SGSN IP address expressed in standard IPv4 or IPv6 dotted decimal notation.Use this command to define rule expressions to match IP address of SGSN node. This command replaces the bearer sgsn-address command.bearer 3gpp sgsn-address = 1.1.1.1[ no ] bearer 3gpp2 bsid [ case-sensitive ] use-group-of-objects operator stringoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withIf the use-group-of-objects keyword is not included in the command, string specifies name of the matching 3GPP2 service Base Station ID (BSID) in bearer flow.If the use-group-of-objects keyword is included in the command, string must be the name of the group-of-objects to use. In this case, it is checked if the rule is satisfied for either one or none of the objects in the group-of-objects depending upon the operator used. For example, if the operator used is contains, the expression would be true if any of the objects in the specified object group is contained in the BSID. If the operator is !contains, then the expression would be true if none of the objects in the object group is contained in the BSID.string must be an alpha and/or numeric string of 1 through 16 characters in length, and can contain punctuation characters.The following command defines a rule expression to analyze user traffic for 3GPP2 BSID named bs001_xyz:bearer 3gpp2 bsid = bs001_xyz[ no ] bearer 3gpp2 service-option operator service_option_codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsservice_option_code must be an integer from 0 through 1000.Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp apn command.
[ no ] bearer apn [ case-sensitive ] operator apn_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withapn_name must be an alpha and/or numeric string of 1 through 62 characters in length, and can contain punctuation characters.bearer apn = apn12Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp imsi command.
operator must be one of the following:
• !=: Does not equal
• =: Equals{ !range | range } imsi-pool imsi_pool_name!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofimsi-pool imsi_pool_name: Specifies name of the IMSI pool.imsi_pool_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to match user traffic based on IMSI number 9198838330912:bearer imsi = 9198838330912Important: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp rat-type command.
[ no ] bearer rat-type operator rat_typeoperator must be one of the following:
• !=: Does not equal
• =: Equalsrat_type must be one of the following:
• geran: GSM EDGE Radio Access Network type
• utran: UMTS Terrestrial Radio Access Network type
• wlan: Wireless LAN typeImportant: In 8.1 and later releases, this command is deprecated and is replaced by the bearer 3gpp sgsn-address command.
[ no ] bearer sgsn-address operator addressoperator must be one of the following:
• !=: Does not equal
• =: Equalsaddress must be an SGSN IP address expressed in standard IPv4 or IPv6 notation.The following command defines a rule expression to match user traffic based on SGSN node IP address 1.1.1.1:bearer sgsn-address = 1.1.1.1Important: This functionality is available only if the Content Access Control [699-00-0011] license has been installed on the chassis.
[ no ] bearer traffic-group operator group_numberoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsgroup_number must be an integer from 1 through 255.Use this command to define rule expressions to match traffic group value. See the fa-ha-spi command in the HA Service Configuration Mode Commands chapter for more information.This command specifies the quota state of a subscriber for prepaid credit control service. Release 12.0 onwards, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to ACS Rulebase Configuration Mode Commands chapter in this guide.operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsThe following command defines a rule expression to match user traffic based on CCA quota state limit-reached:This command defines rule expressions to match the redirect-indicator state of the credit control application. Release 12.0 onwards, this command should be used as a post-processing rule. For more information on post-processing policy command, refer to ACS Rulebase Configuration Mode Commands chapter in this guide.[ no ] cca redirect-indicator operator redirect_indicatoroperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsredirect_indicator must be an integer from 0 through 4294967295.Important: For the RADIUS server configured with different values to return for this AVP the ACS requires rule definitions to match the different values for system to associate with charging actions that have different redirect URLs configured.
Following command defines a rule expression to match redirect indicator 1234 for URL redirect AVP:[ no ] dns answer-name [ case-sensitive ] operator valueoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withvalue must be an alpha and/or numeric string of 1 through 255 characters in length, and can contain punctuation characters.dns answer-name = test[ no ] dns any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] dns previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
•
• [ no ] dns query-name [ case-sensitive ] operator query_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withquery_name must be an alpha and/or numeric string of 1 through 255 characters in length, and can contain punctuation characters.dns query-name = test[ no ] dns return-code operator return_codeoperator must be one of the following:
• !=: Does not equal
• =: Equalsreturn_code must be one of the following:
•
• [ no ] dns state operator dns_current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsdns_current_state must be one of the following:
•
• [ no ] dns tid operator tid_valueoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalstid_value must be an integer from 1 through 65535.dns tid = test[ no ] email { cc | content { class | type } | from | size | subject | to } [ case-sensitive ] operator valueoperator must be one of the following except for size:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withoperator must be one of the following for size:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsThe value of the specified field. value must be an alpha and/or numeric string (allows punctuation characters) as follows:
• cc: A string of 1 through 512 characters in length
• content: A string of 1 through 128 characters in length
• from: A string of 1 through 64 characters in length
• size: A range of bytes from 1 through 4000000000 bytes
• subject: A string of 1 through 128 characters in length
• to: A string of 1 through 512 characters in lengthThe following command defines a rule expression to analyze user traffic for the occurrence of triangle in the “cc” field of e-mail messages:email cc contains triangle@xyz.com[ no ] file-transfer any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] file-transfer chunk-number operator chunks_numberoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalschunks_number must be an integer from 1 through 65535.The following command defines a rule expression to match 150 number of chunks:[ no ] file-transfer current-chunk-length operator current_chunk_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscurrent_chunk_length must be an integer from 1 through 40000000.The following command defines a rule expression to match length of current HTTP chunk as 1500000 bytes:[ no ] file-transfer declared-chunk-length operator declared_chunk_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsdeclared_chunk_length must be an integer from 1 through 40000000.The following command defines a rule expression to match declared length of current HTTP chunk as 2500000 bytes:[ no ] file-transfer declared-file-size operator declared_file_sizeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsdeclared_file_size must be an integer from 1 through 40000000.[ no ] file-transfer filename [ case-sensitive ] operator file_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withfile_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.[ no ] file-transfer previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• init: Specifies previous state as initialization.
• request-sent: Specifies previous state as request sent.
• transfer-error: Specifies previous state as transfer error.
• transfer-ok: Specifies previous state as transfer ok.[ no ] file-transfer state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following
• init: Specifies current state as initialization.
• request-sent: Specifies current state as request sent.
• transfer-error: Specifies current state as transfer error.
• transfer-ok: Specifies current state as transfer ok.
[ no ] file-transfer transferred-file-size operator file_transferred_sizeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsfile_transferred_size must be an integer from 1 through 4000000000.[ no ] ftp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] ftp client-ip-address operator ip_addressoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsip_address must be the client’s IP address expressed in IPv4 dotted decimal or IPv6 colon notation.ftp client-ip-address = 1.1.1.1[ no ] ftp client-port operator port_numberoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.[ no ] ftp command args [ case-sensitive ] operator argumentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withargument must be a string of 1 through 127 characters in length.The following command defines a rule expression to match argument test with FTP command:ftp command args = test[ no ] ftp command id operator command_idoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsIn 9.0 and later releases, command_id must be an integer from 0 through 18.In 8.3 and earlier releases, command_id must be an integer from 0 through 15.[ no ] ftp command name operator command_nameoperator must be one of the following:
• !=: Does not equal
• =: Equalscommand_name must be one of the following:
• abor: Abort command
• cwd: Current working directory command
• eprt: eprt command
• epsv: epsv command
• list: List command
• mode: Transfer mode command
• pass: Password command
• pasv: Passive command
• port: Port command
• quit: Quit command
• rest: Restore command
• retr: Retry command
• stor: Store command
• stru: File structure command
• syst: System command
• type: Type command
• user: User command[ no ] ftp connection-type operator connection_typeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsconnection_type must be one of the following:
• 0: Unknown
• 1: Control connection
• 2: Data connection[ no ] ftp data-any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] ftp filename [ case-sensitive ] operator file_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withfile_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.ftp filename = test[ no ] ftp pdu-length operator pdu_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspdu_length must be an integer from 0 through 65535.ftp pdu-length = 9647[ no ] ftp pdu-type operator pdu_typeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspdu_type must be one of the following:
• 0: Unknown
• 1: Command
• 2: Reply[ no ] ftp previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• [ no ] ftp reply code operator reply_codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsreply_code must be an integer from 100 through 599.ftp reply code = 199[ no ] ftp server-ip-address operator ip_addressoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsip_address must be expressed in IPv4 decimal notation or IPv6 colon notation.ftp server-ip-address = 1.1.1.1[ no ] ftp server-port operator portoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport must be an integer from 1 through 65535.This command defines rule expressions to match total number of bytes sent on FTP control connection.[ no ] ftp session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssession_length must be an integer from 1 through 4000000000.ftp session-length = 40000operator must be one of the following:
• !=: Does not equal
• =: Equals[ no ] ftp url [ case-sensitive ] operator urloperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withurl must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match the URL ftp://rfc.ietf.org/rfc/rfc1738.txt:ftp url = ftp://rfc.ietf.org/rfc/rfc1738.txt[ no ] ftp user [ case-sensitive ] operator ftp_useroperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withftp_user must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.ftp user = user1[ no ] http any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• operator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withname_of_value must be an alpha and/or numeric string of 1 through 31 characters in length.value must be an alpha and/or numeric string of 1 through 127 characters in length.operator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withname_of_value must be an alpha and/or numeric string of 1 through 31 characters in length.value must be an alpha and/or numeric string of 1 through 127 characters in length.[ no ] http content disposition [ case-sensitive ] operator content_dispositionoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_disposition must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http content disposition = successful[ no ] http content length operator content_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscontent_length must be an integer from 1 through 4000000000.http content length = 10000[ no ] http content type [ case-sensitive ] operator content_typeoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http content type = abc100[ no ] http domain [ case-sensitive ] operator domainoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withdomain must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match user traffic based on domain name testdomain:http domain = testdomain[ no ] http error operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• The following command defines a rule expression to match user traffic based on HTTP error status of TRUE:[ no ] http first-request-packet operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] http header-length operator header_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsheader_length must be an integer from 0 through 65535.http header-length = 10000[ no ] http host [ case-sensitive ] operator host_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withhost_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http host = host1[ no ] http payload-length operator payload_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspayload_length must be an integer from 1 through 4000000000.http payload-length = 10000[ no ] http pdu-length operator pdu_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspdu_length must be an integer from 0 through 65535.http pdu-length = 10000[ no ] http previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• init: Initialized state
• response-error: Response error state
• response-ok: Response ok state
• waiting-for-response: Waiting for response state[ no ] http referer [ case-sensitive ] operator referer_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withreferer_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match HTTP referer cricket.espn.com:http referer = cricket.espn.com[ no ] http reply code operator reply_codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsreply_code must be an integer from 100 through 599.[ no ] http request method operator request_methodoperator must be one of the following:
• !=: Does not equal
• =: Equalsrequest_method must be one of the following:
•
•
•
•
•
•
•
• The following command defines a rule expression to match user traffic based on HTTP request method connect:[ no ] http session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssession_length must be an integer from 1 through 4000000000.http session-length = 200000[ no ] http state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
• close: Closed state
• response-error: Response error state
• response-ok: Response ok state
• waiting-for-response: Waiting for response state[ no ] http transaction-length { operator transaction_length | { { range | !range } range_from to range_to } }operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalstransaction_length must be an integer from 1 through 4000000000.
• range: Enables the range criteria for HTTP transaction length.
• !range: Disables the range criteria for HTTP transaction length.
• range_from: Specifies the start of range, in bytes, for HTTP transaction length.
• range_to: Specifies the end of range, in bytes, for HTTP transaction length.[ no ] http transfer-encoding [ case-sensitive ] operator transfer_encodingoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withtransfer_encoding must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.Use this command to define rule expressions to match transfer encoding field of HTTP general header.http transfer-encoding = user1[ no ] http uri [ case-sensitive ] operator urioperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.The following command defines a rule expression to match HTTP URI string http://www.somehost.com:http uri = http://www.somehost.com[ no ] http url [ case-sensitive ] operator urloperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withurl must be an alpha and/or numeric string of 1 through 127 characters in length. url allows punctuation characters and includes “host + URI” for HTTP PDUs.The following command defines a rule expression to match HTTP URL http://rfc.ietf.org/rfc/rfc1738.txt:http url = http://rfc.ietf.org/rfc/rfc1738.txt[ no ] http user-agent [ case-sensitive ] operator user_agentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuser_agent must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http user-agent = xyz.123[ no ] http version [ case-sensitive ] operator http_versionoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withhttp_version must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.http version = http4.2name_of_field must be an alpha and/or numeric string of 1 through 31 characters in length.operator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match extension-header test_field for value of test_string:[ no ] icmp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] icmp code operator codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscode must be an integer from 0 through 255.icmp code = 23[ no ] icmp type operator typeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalstype must be an integer from 0 through 255. For example, 0 for ECHO Reply, 3 for Destination Unreachable, and 5 for Redirect.icmp type = 123[ no ] icmpv6 any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] icmpv6 code operator codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscode must be an integer from 0 through 255.[ no ] icmpv6 type operator typeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalstype must be an integer from 0 through 255. For example, 0 for ECHO Reply, 3 for Destination Unreachable, and 5 for Redirect.icmpv6 type = 123This is the same as the rule expression http any-match = true.This is the same as requiring “wsp any-match = true” but “wtp any-match = false” (that is, connection-less WAP1.x).This is the same as the combined rule expression “wsp any-match = true” and “wtp any-match = true” (that is, connection-oriented WAP1.x).content-id content_idcontent_id must be an integer from 1 through 65535.This command is only effective for charging ruledefs. See the rule-application CLI command for information on how to configure charging ruledefs.Presumably, the ruledef would have another configurable like “www url contains foo", which would cause to use different content IDs when "foo" was accessed, depending upon the protocol being used.[ no ] imap any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] imap cc [ case-sensitive ] operator cc_addressoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcc_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match recipient address triangle@xyz.com in the “cc” field of e-mails in IMAP messages:imap cc contains triangle@xyz.com[ no ] imap command operator commandoperator must be one of the following:
• !=: Does not equal
• =: Equalscommand must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• The following command defines a rule expression to match close command in IMAP messages:[ no ] imap content class [ case-sensitive ] operator content_classoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_class must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to analyze user traffic matching content class javax.mail.internet.MimeMultipart in the “content-class” field of e-mails in the IMAP messages:imap content class contains javax.mail.internet.MimeMultipart[ no ] imap content type [ case-sensitive ] operator content_typeoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to analyze user traffic matching content type TEXT/plain; charset=iso-8859-1 in the ‘content-type’ field of e-mails in IMAP messages:imap content type contains TEXT/plain; charset=iso-8859-1[ no ] imap date [ case-sensitive ] operator dateoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withdate must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to analyze user traffic matching date Fri, 21 Nov 1997 11:00:00 -0600 in the “date” field of e-mails in IMAP messages:imap date contains Fri, 21 Nov 1997 11:00:00 -0600[ no ] imap final-reply operator final_replyoperator must be one of the following:
• !=: Does not equal
• =: Equalsfinal_reply must be one of the following:
• bad: Final reply is invalid or bad.
• no: There is no final reply.
• ok: Final reply is valid.The following command defines a rule expression to analyze user traffic matching the final-reply condition bad in the last IMAP final-reply message:[ no ] imap from [ case-sensitive ] operator from_addressoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withfrom_address must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to analyze user traffic matching triangle in the “from” field of e-mails in the IMAP messages:imap from contains triangle[ no ] imap mail-size operator mail_sizeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsmail_size must be an integer from 0 through 4000000000.The following command defines a rule expression to match e-mail size less than or equal to 23400 bytes:imap mail-size <= 23400[ no ] imap mailbox-size operator number_of_emailoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsnumber_of_email must be an integer from 0 through 65535.The following command defines a rule expression to match less than or equal to 1024 number of e-mail messages in a mailbox:imap mailbox-size <= 1024[ no ] imap message-type operator message_typeoperator must be one of the following:
• !=: Does not equal
• =: Equalsmessage_type must be one of the following:
• command-continuation-reply: Message with command-continuation-reply type.
• final-reply: Message is of final reply type.
• request: There is of request type.
• untagged-reply: Message of reply type, but without any tag.[ no ] imap previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• init: Message in initialization state.
• request-sent: Message in request-sent state.[ no ] imap session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssession_length must be an integer from 1 through 4000000000.The following command defines a rule expression to match IMAP session length less than or equal to 4000 bytes:[ no ] imap session-previous-state operator session_previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalssession_previous_state must be one of the following:
• authenticated: Session authenticated
• connected: Session connected
• init: Session initialized
• mailbox-selected: Mailbox selected[ no ] imap session-state operator session_current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsstate must be one of the following:
• authenticated: Session authenticating.
• connected: Session connecting.
• logout: Session logged out.
• mailbox-selected: Mailbox selecting.[ no ] imap state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
• request-sent: Request message sent
• response-fail: Request response failed
• response-ok: Request response is good[ no ] imap subject [ case-sensitive ] operator subjectoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withsubject must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines rule expression to match occurrence of the string My test in the “subject” field of e-mails in IMAP message:imap subject contains My test[ no ] imap to [ case-sensitive ] operator tooperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withto must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to analyze user traffic matching the occurrence xyz.com in the “to” field of e-mails in the IMAP message:imap to contains xyz.com[ no ] ip any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] ip downlink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] ip dst-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }operator: Specifies how to logically match the IP destination address.operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsip_address: Specifies IP address of the destination node for outgoing traffic in IPv4 or IPv6 standard notation. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies IP address of the destination node for outgoing traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.ip dst-address = 1.1.1.1[ no ] ip error operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals—available only in 8.1 and later releases
• =: Equals
• >=: Greater than or equals—available only in 8.1 and later releasesprotocol_assignment must be an integer from 0 through 255.Specifies the protocol by name. protocol must be one of the following:
•
•
•
•
•
•
• [ no ] ip server-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }operator: Specifies how to logically match the server IP address. operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsip_address: Specifies the server IP address in IPv4 or IPv6 standard notation. For uplink packets (from subscriber) this field matches the destination IP address in the IP header, and for downlink packets (to the subscriber) it matches the source IP address in IP header. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies the server IP address in IPv4 or IPv6 standard notation with subnet mask bit. For uplink packets (from subscriber) this field matches the destination IP address in the IP header, and for downlink packets (to the subscriber) it matches the source IP address in IP header. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.{ !range | range } host-pool host_pool_name!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to match user traffic based on IP server address 1.1.1.1:ip server-ip-address = 1.1.1.1[ no ] ip src-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }operator: Specifies how to logically match the IP source address.operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsip_address: Specifies IP address of the source node for incoming traffic in IPv4 or IPv6 standard notation. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies IP address of the source node for incoming traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.{ !range | range } host-pool host_pool_name!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to match user traffic based on IP source address 1.1.1.1:ip src-address = 1.1.1.1[ no ] ip subscriber-ip-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool_name }operator: Specifies how to logically match the subscriber IP address.operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsip_address: Specifies the subscriber IP address. Depending on the direction of packet this IP address will be either the IP source address or the IP destination address. ip_address must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation.ip_address/mask: Specifies the subscriber IP address with subnet mask bit. Depending on the direction of packet this IP address will either be the IP source address or the IP destination address. ip_address/mask must be an IPv4 address in dotted decimal notation, or an IPv6 address in colon notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.{ !range | range } host-pool host_pool_name!range | range: Specifies the range criteria:
• !range: Not in the range of
• range: In the range ofhost-pool host_pool_name: Specifies name of the host pool. host_pool_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to match user traffic based on subscriber IP address 1.1.1.1:ip subscriber-ip-address = 1.1.1.1[ no ] ip total-length operator total_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalstotal_length must be an integer from 0 through 4096.The following command defines a rule expression to match user traffic based on IP total length of 2000 bytes:ip total-length = 2000[ no ] ip uplink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] ip version operator ip_versionoperator must be = (equals).ip_version must be one of the following:
•
• [ no ] mms any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] mms bcc [ case-sensitive ] operator bcc_addressoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withbcc_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match recipient address containing test1 in “bcc” field of MMS messages:mms bcc contains test1[ no ] mms cc [ case-sensitive ] operator cc_addressoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcc_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match recipient address containing test1 in the “cc” field of MMS messages:mms cc contains test1[ no ] mms content location [ case-sensitive ] operator stringoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match test1 in content-location field of MMS messages:[ no ] mms content type [ case-sensitive ] operator content_typeoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match image in content-type field of MMS messages:[ no ] mms downlink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] mms from [ case-sensitive ] operator from_addressoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withfrom_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match test1 in the “from” field of MMS messages:mms from contains test1[ no ] mms message-id [ case-sensitive ] operator message_idoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withmessage_id must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match test1 in the “message ID” field of MMS messages:mms message-id contains test1[ no ] mms pdu-type operator pdu_typeoperator must be one of the following:
• !=: Does not equal
• =: Equalspdu_type must be one of the following:
• mms-pdu-type-response: This option is deprecated. Use the mms_pdu_type_m_retrieve_conf option instead.The following command defines a rule expression to match PDU type mms-pdu-type-m-http-get in the current MMS packet:[ no ] mms previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
• delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
• delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
• immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
•
• m-send-conf-rcvd: This option is deprecated, use send-success.The following command defines a rule expression to match user traffic based on MMS previous state of retrieval-pending:[ no ] mms response status operator status_codeoperator must be one of the following:
• !=: Does not equal
• =: Equalsstatus_code must be an integer from 128 through 136.[ no ] mms state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
• delayed-ack-pending: This option is deprecated, use retrieve-conf-received.
• delayed-m-notify-rsp-sent: This option is deprecated, use notify-rsp-sent.
• delayed-retrieval-pending: This option is deprecated, use retrieval-pending.
• immediate-retrieval-pending: This option is deprecated, use retrieval-pending.
• m-send-conf-rcvd: This option is deprecated, use send-success.The following command defines a rule expression to match user traffic based on current state of MMS session as retrieval-failed:[ no ] mms status operator statusoperator must be one of the following:
• !=: Does not equal
• =: Equalsstatus must be an integer from 128 through 132.The following command defines a rule expression to match user traffic based on MMS current status 130:mms status = 130[ no ] mms subject [ case-sensitive ] operator subject_stringoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withsubject_string must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match test1 in “subject” field of MMS messages:mms subject contains test1[ no ] mms tid [ case-sensitive ] operator transaction_idoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withtransaction_id must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match test in TID field of MMS messages:mms tid = test[ no ] mms to [ case-sensitive ] operator to_addressoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withto_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match user traffic based on test in “to” field of MMS messages:mms to = test[ no ] mms uplink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must one of the following:
•
• [ no ] mms version operator versionoperator must be one of the following:
• !=: Does not equal
• =: Equalsversion must be an integer from 1 through 65535.The following command defines a rule expression to match MMS version 1.0 in MMS packets:mms version = 1.0When a ruledef is evaluated, if the multi-line-or all-lines command is configured, the logical OR operator is applied to all the rule expressions in the ruledef to decide if the ruledef matches or not. If the multi-line-or all-lines command is not configured, the logical AND operator is applied to all the rule expressions.[ no ] p2p any-match operator conditionoperator must be one of the following:
• =: Equalscondition must be one of the following:
• TRUE: The rule matches any P2P traffic.
• FALSE: The rule does not match any P2P traffic.[ no ] p2p protocol operator protocoloperator must be = (equals).protocol must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• Use this command to define rule expressions to detect P2P protocols for charging purposes. For detection purposes use the p2p-detection protocol command in the ACS Configuration Mode.[ no ] p2p traffic-type operator traffic_typeoperator must be one of the following:
• !=: Does not equal
• =: EqualsIn 11.0 and later releases, traffic_type must be one of the following:
•
• [ no ] pop3 any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] pop3 command args [ case-sensitive ] operator argumentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withargument must be an alpha and/or numeric string of 1 through 40 characters in length, and can contain punctuation characters.pop3 command args = test[ no ] pop3 command id operator command_idoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscommand_id must be an integer from 1 through 12.[ no ] pop3 command name operator command_nameoperator must be one of the following:
• !=: Does not equal
• =: Equalscommand_name must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
• The following command defines a rule expression to match the command list sent with POP3 packets:operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equals
• range: Enables the range criteria.
• !range: Disables the range criteria.
• range_from: Specifies the start of range, and must be an integer from 1 through 4000000000.
• range_to: Specifies the end range. range_to must be an integer from 1 through 4000000000, and must be greater than range_from.mail_size must be an integer from 1 through 4000000000.pop3 mail-size = 40000operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equals
• range: Enables the range criteria.
• !range: Disables the range criteria.
• range_from: Specifies the start of range, and must be an integer from 0 through 65535.
• range_to: Specifies the end range. range_to must be an integer from 0 through 65535, and must be greater than range_from.pdu_length must be an integer from 0 through 65535.pop3 pdu-length = 1000[ no ] pop3 pdu-type operator pdu_typeoperator must be one of the following:
• !=: Does not equal
• =: Equalspdu_type must be one of the following:[ no ] pop3 previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• connected: Connected state
• data transaction: Data transaction state
• init: Initialized state
• reply-error: Reply error state
• reply-ok: Response ok state
• waiting-for-reply: Waiting for reply stateThe following command defines a rule expression to match user traffic for POP3 previous state of connected:[ no ] pop3 reply args [ case-sensitive ] operator argumentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withargument must be an alpha and/or numeric string of 1 through 512 characters in length, and can contain punctuation characters.The following command defines a rule expression to match the argument test with POP3 replies:pop3 reply args = test[ no ] pop3 reply id operator reply_idoperator must be one of the following:
• !=: Does not equal
• =: Equalsreply_id must be one of the following:
• 0: Unknown reply
• 1: +OK
• 2: -Error[ no ] pop3 reply status operator reply_statusoperator must be one of the following:
• !=: Does not equal
• =: Equalsreply_status must be one of the following:
• +OK: Reply OK
• -ERR: Reply erroroperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssession_length must be an integer from 1 through 4000000000.
• range: Enables the range criteria for POP3 session length.
• !range: Disables the range criteria for POP3 session length.
• range_from: Specifies the start of range of POP3 session length, and must be an integer from 1 through 4000000000 but less than or equal to range_to.
• range_to: Specifies the end of range of POP3 session length, and must be an integer from 1 through 4000000000 but greater than or equal to range_from.pop3 session-length = 40000[ no ] pop3 state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
•
• [ no ] pop3 user-name [ case-sensitive ] operator user_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuser_name must be an alpha and/or numeric string of 1 through 64 characters in length, and can contain punctuation characters.pop3 user-name = test[ no ] pptp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] pptp ctrl-msg-type = message_typeThe following command configures echo-reply message type to control traffic:[ no ] pptp gre any-match = conditioncondition must be one of the following:
•
• [ no ] rtcp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• TRUE: The rule matches any RTCP traffic
• FALSE: The rule does not match any RTCP traffic[ no ] rtcp jitter operator jitteroperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsjitter must be an integer from 0 through 4294967295.rtcp jitter >= 12954[ no ] rtcp parent-proto operator parent_protocoloperator must be one of the following:
• !=: Does not equal
• =: Equalsparent_protocol must be one of the following:
• rtsp: Real Time Streaming Protocol
• sip: Session Initiation Protocol[ no ] rtcp pdu-length operator pdu_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsIn 8.1 and later releases, pdu_length must be an integer from 1 through 65535.In 8.0, pdu_length must be an integer from 1 through 2000.The following command defines a rule expression to match user traffic based on RTCP PDU length of 10000 bytes:rtcp pdu-length = 10000[ no ] rtcp rtsp-id [ case-sensitive ] operator rtsp_idoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withrtsp_id must be an alpha and/or numeric string of 1 through 32 characters in length.The following command defines a rule expression to match user traffic containing RTSP message ID of test1:rtcp rtsp-id contains test1[ no ] rtcp session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsIn 8.1 and later releases, session_length must be an integer from 1 through 4000000000. In 8.0, session_length must be an integer from 1 through 40000000.rtcp session-length = 200000[ no ] rtcp uri [ case-sensitive ] operator urioperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuri must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match user traffic for RTCP URI rtsp://www.example.org:rtcp uri = rtsp://www.example.org[ no ] rtp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] rtp parent-proto operator parent_protocoloperator must be one of the following:
• !=: Does not equal
• =: Equalsparent_protocol must be one of the following:
• rtsp: Real Time Streaming Protocol
• sip: Session Initiation Protocol[ no ] rtp pdu-length operator pdu_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsIn 8.1 and later releases, pdu_length must be an integer from 1 through 65535. In 8.0, pdu_length must be an integer from 1 through 2000.rtp pdu-length = 1000[ no ] rtp rtsp-id [ case-sensitive ] operator rtsp_idoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withrtsp_id must be an alpha and/or numeric string of 1 through 32 characters in length.rtp rtsp-id contains test1[ no ] rtp session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsIn 8.1 and later releases, session_length must be an integer from 1 through 4000000000.In release 8.0, session_length must be an integer from 1 through 40000000.rtp session-length = 200000[ no ] rtp uri [ case-sensitive ] operator urioperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.The following command defines a rule expression to match the RTP URI string rtsp://www.example.org:rtp uri = rtsp://www.example.org[ no ] rtsp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] rtsp content length operator content_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscontent_length must be an integer from 0 through 65535.The following command defines a rule expression to match content length of 10000 in RTSP headers:rtsp content length = 10000[ no ] rtsp content type [ case-sensitive ] operator content_typeoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.rtsp content type = abc100[ no ] rtsp date [ case-sensitive ] operator dateoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withdate must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match the date 12_04_2006 in RTSP message headers:rtsp date = 12_04_2006[ no ] rtsp previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
•
•
•
•
• [ no ] rtsp reply code operator reply_codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsreply_code must be an integer from 100 through 599.[ no ] rtsp request method operator request_methodoperator must be one of the following:
• !=: Does not equal
• =: Equalsrequest_method must be one of the following requests:
•
•
•
•
•
•
•
•
• [ no ] rtsp request packet operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• TRUE: Is request
• FALSE: Is response[ no ] rtsp rtp-seq operator sequence_numberoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssequence_number must be an alpha and/or numeric string of 0 through 65535 characters in Normal Play Time (NPT) time format.rtsp rtp-seq = 2348This command defines rule expressions to match the “time” field in RTP-Info header of RTSP response.[ no ] rtsp rtp-time operator timeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalstime must be an alpha and/or numeric string of 1 through 2147483647 characters in Normal Play Time (NPT) time format.rtsp rtp-time = 19970123T153600Z[ no ] rtsp rtp-uri [ case-sensitive ] operator urioperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.The following command defines a rule expression to match user traffic based on RTP-URI string rtsp://www.foo.com in the RTP-info header of RTSP packet:rtsp rtp-uri = rtsp://www.foo.com[ no ] rtsp session-id [ case-sensitive ] operator session_idoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withsession_id must be an alpha and/or numeric string of 1 through 127 characters in length.rtsp session-id = 0123abc100[ no ] rtsp session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssession_length must be an integer from 1 through 40000000.[ no ] rtsp state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
•
•
•
•
•
• [ no ] rtsp uri [ case-sensitive ] operator urioperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuri must be an alpha and/or numeric string of 1 through 127 characters in length. uri allows punctuation characters and it does not include the “host” portion.The following command defines a rule expression to match user traffic based on RTSP URI rtsp://www.example.com:554/twister/audiotrack:rtsp uri = rtsp://www.example.com:554/twister/audiotrack[ no ] rtsp uri sub-part { { absolute-path | host | query } [ case-sensitive ] operator string | port { port_operator port_value | { range | !range } range_from to range_to } }operator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length. string allows punctuation characters and it does not include the “host” portion.operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_value must be an integer from 0 through 65535.
• range: Enables the range criteria for RTSP flow ports.
• !range: Disables the range criteria for RTSP flow ports.
• range_from: Specifies the start of range of RTSP flow ports and value must be an integer from 0 through 65535 but less than or equal to range_to.
• range_to: Specifies the end of range of RTSP flow ports and value must be an integer from 0 through 65535 but more than or equal to range_from.The following command defines a URI sub part rule definition to analyze user traffic based on RTSP URI port number between 1023 and 1068:[ no ] rtsp user-agent [ case-sensitive ] operator user_agentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuser_agent must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match test in “user-agent” field of RTSP header:rtsp user-agent = test[ no ] sdp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] sdp connection-ip-address operator ip_addressoperator must be one of the following:
• !=: Does not equal
• =: Equalsip_address must be expressed in IPv4 dotted decimal notation.The following command defines a rule expression to match the IP address 1.1.1.1 in the connection field of SDP descriptions:sdp connection-ip-address = 1.1.1.1[ no ] sdp media-audio-port operator portoperator must be one of the following:
• !=: Does not equal
• =: Equalsport must be an integer from 0 through 65535.The following command defines a rule expression to match media audio port 100 in the media sections of SDP descriptions:[ no ] sdp media-video-port operator portoperator must be one of the following:
• !=: Does not equal
• =: Equalsport must be an integer from 0 through 65535.The following command defines a rule expression to match media video port 100 in the media sections of SDP descriptions:[ no ] sdp uplink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• FALSE: Is not uplink
• TRUE: Is uplink[ no ] secure-http any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] secure-http uplink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• FALSE: Is not uplink
• TRUE: Is uplink[ no ] sip any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] sip call-id [ case-sensitive ] operator call_idoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcall_id must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match the call ID test in SIP messages:sip call-id = test[ no ] sip content length operator content_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscontent_length must be an integer from 0 through 65535.The following command defines a rule expression to match the content length 10000 in SIP headers:sip content length = 10000[ no ] sip content type [ case-sensitive ] operator content_typeoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match content type download_string in SIP headers:sip content type = download_string[ no ] sip from [ case-sensitive ] operator stringoperator must be one of the following:operator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match test1 in the “from” field in SIP messages:sip from contains test1[ no ] sip previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• The following command defines a rule expression to match user traffic based on the SIP previous state of request-sent:[ no ] sip reply code operator reply_codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsreply_code must be an integer from 100 through 699.The following command defines a rule expression to match 150 in the reply code in SIP responses:sip reply code = 150[ no ] sip request method operator methodoperator must be one of the following:
• !=: Does not equal
• =: Equalsmethod must be one of the following:
•
•
•
•
•
• The following command defines a rule expression to match the method bye in SIP request messages:[ no ] sip request packet operator conditionoperator must be one of the following:
• =: Equals
• !=: Does not equalcondition must be one of the following:
• FALSE: Is a response
• TRUE: Is a request[ no ] sip state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:The following command defines a rule expression to match user traffic based on SIP current state request-sent:[ no ] sip to [ case-sensitive ] operator to_addressoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withto_address must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match test1 in the “to” field of SIP messages:sip to contains test1[ no ] sip uri [ sub-part { headers | host | parameters | port | userinfo } ] [ case-sensitive ] operator uri
• headers: Apply the rule to SIP URI header field.
• host: Apply the rule the SIP URI host field.
• parameters: Apply the rule to the SIP URI parameters field.
• port: Apply the rule to the SIP URI port field.
• userinfo: Apply the rule to the SIP URI userinfo field.operator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withThe string for sub-part keyword port must be an integer and requires different operators. Use the following operators with the port keyword:
• !=: Does not equal
• <=: Is less than
• =: Equals
• >=: Is greater thanuri must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The string for sub-part keyword port must be an integer from 0 through 65535.The following command defines a rule expression to match the URI string sip:1.1.1.1:5060 in SIP messages:sip uri = sip:1.1.1.1:5060The following command defines a rule expression to match the URI string sip:nnnn@host:5060;user=phone in SIP messages:sip uri = sip:nnnn@host:5060;user=phone[ no ] smtp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] smtp command arguments [ case-sensitive ] operator argumentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withargument must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.[ no ] smtp command id operator command_idoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalscommand_id must be an integer from 0 through 10.[ no ] smtp command name operator command_nameoperator must be one of the following:
• !=: Does not equal
• =: Equalscommand_name must be one of the following:
•
•
•
•
•
•
•
•
•
• The following command defines a rule expression to match data command in SMTP packets:operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsmail_size must be an integer from 1 through 40000000.
• range: Enables the range criteria.
• !range: Disables the range criteria.
• range_from: Specifies the start of range, and must be an integer from 1 through 40000000.
• range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.smtp mail-size = 40000operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspdu_length must be an integer from 1 through 65535.
• range: Enables the range criteria.
• !range: Disables the range criteria.
• range_from: Specifies the start of range, and must be an integer from 1 through 65535.
• range_to: Specifies the end range. range_to must be an integer from 1 through 65535, and must be greater than range_from.smtp pdu-length = 1600[ no ] smtp previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• close: Closed state
• init: Initialized state
• response-error: Reply error state
• response-ok: Response ok state
• waiting-for-response: Waiting for response stateThe following command defines a rule expression to match user traffic based on SMTP previous state close:[ no ] smtp recipient [ case-sensitive ] operator argumentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withargument must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match recipient e-mail ID containing test in the current SMTP transaction:[ no ] smtp reply arguments [ case-sensitive ] operator argumentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withargument must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.The following command defines a rule expression to match reply argument test in SMTP response:[ no ] smtp reply id operator reply_idoperator must be one of the following:
• !=: Does not equal
• =: Equalsreply_id must be one of the following:
• 0: +NO reply
• 1: +OK reply
• 2: -ERR replyThe following command defines a rule expression to match reply ID 2 assigned to SMTP response:[ no ] smtp reply status operator reply_statusoperator must be one of the following:
• !=: Does not equal
• =: Equalsreply_status must be one of the following:
• +OK: Response OK
• -ERR: Response errorThe following command defines a rule expression to match reply status +OK in SMTP packets:[ no ] smtp sender [ case-sensitive ] operator senderoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withsender must be an alpha/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match sender e-mail ID containing test in the current SMTP transaction:smtp sender contains testoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssession_length must be an integer from 1 through 40000000.
• range: Enables the range criteria.
• !range: Disables the range criteria.
• range_from: Specifies the start of range, and must be an integer from 1 through 40000000.
• range_to: Specifies the end range. range_to must be an integer from 1 through 40000000, and must be greater than range_from.smtp session-length = 4000000[ no ] smtp state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
• close: Closed state
• init: Initialized state
• response-error: Response of error state
• response-ok: Response of ok state
• waiting-for-response: Waiting for response stateThe following command defines a rule expression to match current state as close of SMTP command session:[ no ] tcp analyzed out-of-order operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• FALSE: Not analyzed
• TRUE: Analyzed[ no ] tcp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• FALSE: Not analyzed
• TRUE: Analyzedoperator must be one of the following:
• !=: Does not equal
• =: EqualsThe following command defines a rule expression to match user traffic based on TCP connection initiator subscriber:[ no ] tcp downlink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] tcp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the range
• start_range must be an integer from 1 through 65535.
• end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_map_nameport_map_name must be a string of 1 through 63 characters in length.[ no ] tcp duplicate operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• FALSE: Not duplicated/retransmitted
• TRUE: Duplicated/retransmitted[ no ] tcp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the range
• start_range must be an integer from 1 through 65535.
• end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_map_nameport_map_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to match destination/source port number 10 in TCP header:[ no ] tcp error operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] tcp flag operator flagoperator must be one of the following:
• !contains: Does not contain
• contains: Contains
• !=: Does not equal
• =: Equalsflag must be one of the following:
• ack: TCP FLAG ACK
• fin: TCP FLAG FIN
• push: TCP FLAG PUSH
• reset: TCP FLAG RESET
• syn: TCP FLAG SYNThe following command defines a rule expression to match reset within flag field of TCP headers:[ no ] tcp initial-handshake-lost operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• hex-signature hex_stringhex_string must be a dash-delimited list of hex data of size smaller than 32.string-signature stringstring must be a string of 1 through 32 characters in length.[ no ] tcp payload-length operator payload_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspayload_length must be an integer from 0 through 40000000.tcp payload-length = 10000[ no ] tcp previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
•
•
•
•
• The following command defines a rule expression to match user traffic based on previous state time-wait:[ no ] tcp proxy-prev-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
•
•
•
•
• tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on egress-side (if it is proxy-enabled flow).tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.So, depending on the use case, if using tcp state and tcp prev-state existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match ruledef because proxy state would not be applicable.[ no ] tcp proxy-state operator stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsstate must be one of the following:
•
•
•
•
• tcp state and tcp prev-state is the state of the client stack, which would be either the state of the subscriber's stack (if flow is not proxy enabled) or the MS state of proxy on egress-side (if it is proxy-enabled flow).tcp proxy-state and tcp proxy-prev-state is the state of the embedded TCP proxy server, that is the proxy ingress-side.So, depending on the use case, if using tcp state and tcp prev-state existing configuration may work fine regardless of whether proxy is enabled. For other use cases, other ruledefs may have to be created.Both tcp state and tcp proxy-state can be used in the same ruledef. If proxy was being used, they would map to the egress-side and ingress-side, respectively. If proxy was not being used, then this would not match ruledef because proxy state would not be applicable.[ no ] tcp session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalssession_length must be an integer from 0 through 4000000000.The following command defines a rule expression to match user traffic based on TCP session length of 2000 bytes:tcp session-length = 2000[ no ] tcp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the range
• start_range must be an integer from 1 through 65535.
• end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_map_nameport_map_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to analyze user traffic matching TCP source port 10:[ no ] tcp state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
•
•
•
•
• [ no ] tcp uplink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] tftp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• FALSE: Not analyzed
• TRUE: Analyzed[ no ] tftp data-any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
• FALSE: Not analyzed
• TRUE: Analyzed[ no ] udp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] udp downlink operator conditionoperator must be one of the following:
• =: Equalscondition must be one of the following:
•
• [ no ] udp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the range
• start_range must be an integer from 1 through 65535.
• end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_map_nameport_map_name must be a string of 1 through 63 characters in length.[ no ] udp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_map_nameport_map_name must be a string of 1 through 63 characters in length.hex-signature hex_stringhex_string must be a dash-delimited list of hex data of size smaller than 32.string-signature stringstring must be a string of 1 through 32 characters in length.[ no ] udp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map_name } }operator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsport_number must be an integer from 1 through 65535.
• !range: Not in the range
• range: In the rangestart_range must be an integer from 1 through 65535.end_range must be an integer from 1 through 65535, and must be greater than start_range.port-map port_map_nameport_map_name must be a string of 1 through 63 characters in length.The following command defines a rule expression to match source port number 10 in UDP headers:[ no ] udp uplink operator conditionoperator must be one of the following:
• =: Equalscondition must be one of the following:
•
• [ no ] wsp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wsp content type [ case-sensitive ] operator content_typeoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.wsp content type = test[ no ] wsp domain [ case-sensitive ] operator domainoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withdomain must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match user traffic based on domain name testdomain:wsp domain = testdomain[ no ] wsp downlink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wsp first-request-packet operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wsp host [ case-sensitive ] operator host_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withhost_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.The following command defines a rule expression to match host name host1 in WSP headers:wsp host contains host1[ no ] wsp pdu-length operator pdu_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspdu_length must be an integer from 1 through 65535.The following command defines a rule expression to match user traffic based on WSP PDU length of 10000 bytes:wsp pdu-length = 10000[ no ] wsp pdu-type operator pdu_typeoperator must be one of the following:
• !=: Does not equal
• =: Equalspdu_type must be one of the following:
•
•
•
•
•
•
•
•
•
•
•
• [ no ] wsp previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• [ no ] wsp reply code operator reply_codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsreply_code must be an integer from 0 through 101.[ no ] wsp session-length operator session_lengthoperator must be one of the following:
• !=: Does not equal
• <=: less than equals
• =: Equals
• >=: greater than equalssession_length must be an integer from 1 through 65535.wsp session-length = 2000[ no ] wsp session-management { previous-state | state } operator stateoperator must be one of the following:
• !=: Does not equal
• =: Equals
•
•
•
•
• The following command defines a rule expression to match previous WSP Session Management state of connecting:[ no ] wsp state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
• [ no ] wsp tid operator transaction_idoperator must be one of the following:
• !=: Does not equal
• =: Equalstransaction_id must be an integer from 0 through 255.The following command defines a rule expression to match TID value of 22 for connection-less WSP:wsp tid = 22This command is deprecated, see the wsp session-length command.[ no ] wsp transfer-encoding [ case-sensitive ] operator transfer_encodingoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withtransfer_encoding must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match user traffic based on WSP transfer encoding 7:[ no ] wsp uplink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wsp url [ case-sensitive ] operator urloperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withurl must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match user traffic based on WSP URL wsp://wiki.tcl.tk:wsp url = wsp://wiki.tcl.tk[ no ] wsp user-agent [ case sensitive ] operator user_agentoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withuser_agent must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match value test in user agent field in WSP headers:name must be an alpha and/or numeric string of 1 through 31 characters in length.operator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withstring must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to analyze user traffic containing WSP extension-header of test_field and value of test_string:wsp x-header test_field = test_string[ no ] wtp any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wtp downlink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• This command defines rule expressions to match Group Transmission (GTR) flag in the current WTP PDU.[ no ] wtp gtr operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wtp pdu-length operator pdu_lengthoperator must be one of the following:
• !=: Does not equal
• =: Equalspdu_length must be an integer from 1 through 65535.wtp pdu-length = 9647[ no ] wtp pdu-type operator pdu_typeoperator must be one of the following:
• !=: Does not equal
• =: Equalspdu_type must be one of the following:
•
•
•
• [ no ] wtp previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
•
•
• The following command defines a rule expression to match user traffic based on WTP previous state of ack-sent:[ no ] wtp rid operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wtp state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
•
•
•
• The following command defines a rule expression to match user traffic based on current WTP state close:[ no ] wtp tid operator transaction_idoperator must be one of the following:
• !=: Does not equal
• =: Equalstransaction_id must be an integer from 0 through 65535.The following command defines a rule expression to match user traffic containing WTP TID value of 22:wtp tid = 22[ no ] wtp transaction class operator transaction_classoperator must be one of the following:
• !=: Does not equal
• =: Equalstransaction_class must be an integer from 0 through 2.The following command defines a rule expression to match WTP traffic based on WTP transaction class 2:[ no ] wtp ttr operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] wtp uplink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] www any-match operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] www content type [ case-sensitive ] operator content_typeoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withcontent_type must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.www content type = test[ no ] www domain [ case-sensitive ] operator domainoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withdomain must be an alpha and/or numeric string of 1 through 127 characters in length.The following command defines a rule expression to match user traffic based on domain name testdomain:www domain = testdomain[ no ] www downlink operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] www first-request-packet operator conditionoperator must be one of the following:
• !=: Does not equal
• =: Equalscondition must be one of the following:
•
• [ no ] www header-length operator header_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsheader_length must be an integer from 0 through 65535.The following command defines a rule expression to match user traffic based on WWW packet header length of 10000 bytes:www header-length = 10000[ no ] www host [ case-sensitive ] operator host_nameoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withhost_name must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.www host = host1[ no ] www payload-length operator payload_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspayload_length must be an integer from 1 through 4000000000.The following command defines a rule expression to match user traffic based on WWW payload length of 10000:www payload-length = 10000[ no ] www pdu-length operator pdu_lengthoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalspdu_length must be an integer from 0 through 65535.The following command defines a rule expression to match user traffic based on WWW PDU length of 9767 bytes:www pdu-length = 9767[ no ] www previous-state operator previous_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalsprevious_state must be one of the following:
• The following command defines a rule expression to match user traffic based on WWW previous state init:[ no ] www reply code operator reply_codeoperator must be one of the following:
• !=: Does not equal
• <=: Lesser than or equals
• =: Equals
• >=: Greater than or equalsreply_code must be an integer from 100 through 599.The following command defines a rule expression to analyze WWW user traffic based on reply code of 110:www reply code = 110[ no ] www state operator current_stateoperator must be one of the following:
• !=: Does not equal
• =: Equalscurrent_state must be one of the following:
• The following command defines a rule expression to match user traffic based on the current WWW state close:[ no ] www transfer-encoding [ case-sensitive ] operator transfer_encodingoperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withtransfer_encoding must be an alpha and/or numeric string of 1 through 127 characters in length, and can contain punctuation characters.www transfer-encoding = user1[ no ] www url [ case-sensitive ] operator urloperator must be one of the following:
• !=: Does not equal
• !contains: Does not contain
• !ends-with: Does not end with
• !starts-with: Does not start with
• =: Equals
• contains: Contains
• ends-with: Ends with
• starts-with: Starts withurl must be an alpha and/or numeric string of 1 through 127 characters in length.www url = www.abc.com
|
| Cisco Systems Inc. |
| Tel: 408-526-4000 |
| Fax: 408-527-0883 |