Force10 Networks PSeries 100-00055-01 User Manual
Page 120
120
Appendix B
flow
This keyword applies the rule to a specific traffic flow
direction.
The flow can be in one of two states:
•
established: Trigger only on established TCP
connections.
•
stateless: Trigger regardless of the state of the
stream processor.
The
direction parameter has the following options:
•
to_client: Trigger on server responses from A to B.
•
to_server: Trigger on client requests from A to B.
•
from_client: Trigger on client requests from A to B.
•
from_server: Trigger on server responses from A to
B.
•
no_stream: Do not trigger on rebuilt stream packets.
•
only_stream: Only trigger on rebuilt stream packets.
flow: [established|stateless] [,
direction];
icmp_id
This keyword checks for a specific ICMP ID value.
icmp id:number;
icmp_seq
This keyword checks for a specific ICMP sequence value.
icmp seq: number;
icode
This keyword checks for a specific ICMP code value.
icode: [>|<] number [{>|<} number];
id
This keyword checks the IP ID field for the specified
value.
id:number;
ip_proto
This keyword inspects the IP protocol header.
ip_proto: [!|>|<] {name |number};
itype
This keyword checks for the specified ICMP type value.
itype:[>|<] number [{>|<} number];
nocase
This keyword matches strings without regard for
capitalization. This keyword modifies the content
keyword.
nocase;
protocol
Enter the protocol.
{
ICMP | UDP | TCP | IP}
seq
This keyword checks for the specified TCP sequence
number.
seq:number;
source
address
Enter the address from which traffic is arriving. The
A.B.C.D/{subnet_mask}
destination
address
Enter the address to which traffic is destined.
A.B.C.D/{subnet_mask}
souce port
Enter the port from which traffic is arriving.
port_number
destination
port
Enter the port to which traffic is destined.
port_number
tos
This keyword checks for the specified ToS value.
tos: [
!] number;
Table 28 Description of P-Series Snort Keywords
Keyword
Description
Rule Syntax