IP header options

Use IP header options to check the properties of the IP header.

ip_id

Check the IP ID field for a specific value.

Syntax:

--ip_id <number>;

Example:

--ip_id 32212;

ip_tos

Check the IP TOS field for a specific value.

Syntax:

--ip_tos <number>;

Example:

--ip_tos 4;

ip_ttl

Check the IP time-to-live field value.

Syntax:

--ip_ttl <number>;

--ip_ttl ><number>;

--ip_ttl <<number>;

Example:

--ip_ttl <4;

ip_option

Check the IP options.

Syntax:

--ip_option <option>;

The following values can be tested:

<option>	Description
`rr`	Record route
`eol`	End of list
`nop`	No operation
`ts`	Internet timestamp
`sec`	Security
`lsrr`	Loose source routing
`lsrre`	Loose source routing for MS99-038 and CVE 199-0909
`ssrr`	Strict source routing
`satid`	Stream ID
`any`	Any IP options

Example:

--ip_option ts;

same_ip

Check whether src_addr is the same as dst_addr. No value required for this option.

Example:

--same_ip;

src_addr

Check the source IP address.

Syntax:

--src_addr <IP address>;

The IP address can be in the following formats:

x.y.z.u
x.y.z.u/n
x.y.z.u:n
ab:cd:ef:gh:ij:kl:mn:op
ab:cd:ef::mn:op

The prefix ! means exclude the addresses. Multiple addresses should be between square brackets [ ], separated by commas.

Examples:

--src_addr !10.10.10.1;

--src_addr 10.10.10.0:24;

--src_addr fde0:6477:1e3f::1:b9;

dst_addr

Check the destination IP address.

Syntax:

--dst_addr <IP address>;

Refer to src_addr for the IP address format.

Examples:

--dst_addr 10.10.10.0/24;

--dst_addr ![10.10.0/24, 10.10.20.0:24]:

--dst_addr fde0:6477:1e3f::2:ba;

ip_ver

The IP version number.

Example:

Detect IP version 6 packets

--ipver 6

ipv6h

Detect next header value in IPv6 header. The value must be a decimal number. ipv6h can only be used when ipver 6 is present.

Examples:

Detect IPV6 packets for which the next header is a hop-by-hop option:

--ipver6; --ipv6h 0;

Detect ICMPv6 packets for which the type value is 135 and the code value is 0:

--ipver6; --ipv6h 58; --protocol icmp; --icmp_type 135; --icmp code 0;

ip.total_length, ip.id, ip.ttl, ip.checksum

Check fields total_length, id, ttl, and checksum in the IPv4 header.

Syntax:

--ip.[decorations] <operator> <value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--ip.total_length >= 402;

--ip.id & 0xff = 0x37;

--ip.ttl in [64,65];

--ip.checksum != 0xff;

ip6.payload_length, ip6.next_header, ip6.hop_limit

Check fields payload_length, next_header, and hop_limit in IPv6 header.

Syntax:

--ip6.[decorations] <operator> <value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--ip6.payload_length > 40;

--ip6.hop_limit < 0x4f;

--ip6.next_header in [1, 2];

ip [offset]

Access any fields in IPv4 header in a freelance mode.

Syntax:

--ip[offset] <operator> <value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses big endian and BYTE, respectively. Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--ip[2] >= 402,word;

--ip[4] & 0xff = 0x37,word;

ip6 [offset]

Access any fields in IPv6 header in a freelance mode.

Syntax:

--ip6[offset] <operator> <value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses big endian and BYTE, respectively. Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example:

--ip6[4] > 40,word;

IP header options

Use IP header options to check the properties of the IP header.

ip_id

Check the IP ID field for a specific value.

Syntax:

--ip_id <number>;

Example:

--ip_id 32212;

ip_tos

Check the IP TOS field for a specific value.

Syntax:

--ip_tos <number>;

Example:

--ip_tos 4;

ip_ttl

Check the IP time-to-live field value.

Syntax:

--ip_ttl <number>;

--ip_ttl ><number>;

--ip_ttl <<number>;

Example:

--ip_ttl <4;

ip_option

Check the IP options.

Syntax:

--ip_option <option>;

The following values can be tested:

<option>	Description
`rr`	Record route
`eol`	End of list
`nop`	No operation
`ts`	Internet timestamp
`sec`	Security
`lsrr`	Loose source routing
`lsrre`	Loose source routing for MS99-038 and CVE 199-0909
`ssrr`	Strict source routing
`satid`	Stream ID
`any`	Any IP options

Example:

--ip_option ts;

same_ip

Check whether src_addr is the same as dst_addr. No value required for this option.

Example:

--same_ip;

src_addr

Check the source IP address.

Syntax:

--src_addr <IP address>;

The IP address can be in the following formats:

x.y.z.u
x.y.z.u/n
x.y.z.u:n
ab:cd:ef:gh:ij:kl:mn:op
ab:cd:ef::mn:op

The prefix ! means exclude the addresses. Multiple addresses should be between square brackets [ ], separated by commas.

Examples:

--src_addr !10.10.10.1;

--src_addr 10.10.10.0:24;

--src_addr fde0:6477:1e3f::1:b9;

dst_addr

Check the destination IP address.

Syntax:

--dst_addr <IP address>;

Refer to src_addr for the IP address format.

Examples:

--dst_addr 10.10.10.0/24;

--dst_addr ![10.10.0/24, 10.10.20.0:24]:

--dst_addr fde0:6477:1e3f::2:ba;

ip_ver

The IP version number.

Example:

Detect IP version 6 packets

--ipver 6

ipv6h

Detect next header value in IPv6 header. The value must be a decimal number. ipv6h can only be used when ipver 6 is present.

Examples:

Detect IPV6 packets for which the next header is a hop-by-hop option:

--ipver6; --ipv6h 0;

Detect ICMPv6 packets for which the type value is 135 and the code value is 0:

--ipver6; --ipv6h 58; --protocol icmp; --icmp_type 135; --icmp code 0;

ip.total_length, ip.id, ip.ttl, ip.checksum

Check fields total_length, id, ttl, and checksum in the IPv4 header.

Syntax:

--ip.[decorations] <operator> <value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--ip.total_length >= 402;

--ip.id & 0xff = 0x37;

--ip.ttl in [64,65];

--ip.checksum != 0xff;

ip6.payload_length, ip6.next_header, ip6.hop_limit

Check fields payload_length, next_header, and hop_limit in IPv6 header.

Syntax:

--ip6.[decorations] <operator> <value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--ip6.payload_length > 40;

--ip6.hop_limit < 0x4f;

--ip6.next_header in [1, 2];

ip [offset]

Access any fields in IPv4 header in a freelance mode.

Syntax:

--ip[offset] <operator> <value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses big endian and BYTE, respectively. Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--ip[2] >= 402,word;

--ip[4] & 0xff = 0x37,word;

ip6 [offset]

Access any fields in IPv6 header in a freelance mode.

Syntax:

--ip6[offset] <operator> <value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses big endian and BYTE, respectively. Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example:

--ip6[4] > 40,word;

Custom IPS and Application Control Signature Syntax Guide

IP header options

IP header options

ip_id

Syntax:

Example:

ip_tos

Syntax:

Example:

ip_ttl

Syntax:

Example:

ip_option

Syntax:

Example:

same_ip

Example:

src_addr

Syntax:

Examples:

dst_addr

Syntax:

Examples:

ip_ver

Example:

ipv6h

Examples:

ip.total_length, ip.id, ip.ttl, ip.checksum

Syntax:

Examples:

ip6.payload_length, ip6.next_header, ip6.hop_limit

Syntax:

Examples:

ip [offset]

Syntax:

Examples:

ip6 [offset]

Syntax:

Example:

IP header options

ip_id

Syntax:

Example:

ip_tos

Syntax:

Example:

ip_ttl

Syntax:

Example:

ip_option

Syntax:

Example:

same_ip

Example:

src_addr

Syntax:

Examples:

dst_addr

Syntax:

Examples:

ip_ver

Example:

ipv6h

Examples:

ip.total_length, ip.id, ip.ttl, ip.checksum

Syntax:

Examples:

ip6.payload_length, ip6.next_header, ip6.hop_limit

Syntax:

Examples:

ip [offset]

Syntax:

Examples:

ip6 [offset]

Syntax:

Example: