Stateful rule examples – Force10 Networks PSeries 100-00055-01 User Manual

Page 70

Advertising
background image

70

Writing Rules

When a packet is stored in either Temporary Memory or Match Memory, a pointer to the previously stored
packet in the same flow (contained in a portion of the flow register C

f

) is also stored. Thus a packet stored

in Match Memory may reference another packet stored in Temporary Memory, which in turn may
reference more packets, thus forming a linked list of partial matches, starting with a packet stored in Match
Memory.

The values for r

i

have the following meanings:

1: store the packet in Temporary Memory

2: store the packet in Match Memory and notify host software

Note: If the Hash key option is selected, the R=2 flag no longer causes the packet to be stored in
Temporary Memory.

Stateful Rule Examples

Table 20 Stateful Matching Signatures

Signature 1: alert on c0 tcp any any -> any any (msg:"SYN"; flags:S; S:1; R:0; C:3;)

Signature 2: alert on c0 tcp any any -> any any (msg:"ack"; flags:A+; S:2; R:1; C:4;)

Signature 3: alert on c0 tcp any any -> any any (msg:"ack"; flags:A+; S:4; R:2; C:4;)

Signature 4: alert on c0 tcp any any -> any any (msg:"frag"; dsize: 0 <> 100; S:1; R:1; C:9;)

Signature 5: alert on c0 tcp any any -> any any (msg:"frag"; dsize: 0 <> 100; S:8; R:1; C:16;)

Signature 6: alert on c0 tcp any any -> any any (msg:"frag"; dsize: 0 <> 100; S:16; R:2; C:16;)

In

Table 20

:

Signature 1 matches any TCP SYN packet, erasing any expired C

f

register; if this signatures triggers -

meaning a SYN is present — it sets bits 0 and 1 (value 3) in the C

f

register. The SYN packets is

discarded (R=0).

Signature 2 triggers if Signature 1 has triggered (the C

f

register having bit 1 set) and a TCP packet

contains an ACK bit. The result for this match is that bit 2 (value 4) is set in the C

f

register. The packet

is stored in Temporary Memory (R=1).

Signature 3 triggers if Signature 2 has triggered (the C

f

register having bit 2 (value 4) set) and another

later TCP packet contains an ACK bit. The result for this match does not modify the existing content
of the C

f

register. The packet is stored in Match Memory, referencing the packet of Signature 2. The

DPI driver then presents to the host the packet matched by 2, followed by the packet matched by 3,
through the DPI network interface.

Advertising
Popular Brands
Popular manuals