Next: , Previous: Conditions, Up: Conditions



8.2.1.1 Header conditions

Header conditions limit the applicability of the signature to a subset of traffic that contains matching packet headers. For TCP, this match is performed only for the first packet of a connection. For other protocols, it is done on each individual packet. There are pre-defined header conditions for some of the most used header fields:

address-list
Destination address of IP packet (may include CIDR masks for specifying networks)
integer-list
Destination port of TCP or UDP packet
protocol-list
IP protocol; protocol may be tcp, udp, or icmp.
address-list
Source address of IP packet (may include CIDR masks for specifying networks)
integer-list
Source port of TCP or UDP packet

comp is one of ==, !=, <, <=, >, >=. All lists are comma-separated values of the given type which are sequentially compared against the corresponding header field. If at least one of the comparisions evaluates to true, the whole header condition matches (exception: if comp is !=, the header condition only matches if all values differ). address is an dotted IP address optionally followed by a CIDR/mask to define a subnet instead of an individual address. protocol is either one of ip, tcp, udp and icmp, or an integer.

In addition to this pre-defined short-cuts, a general header condition can be defined either as

header proto[offset:size] comp value-list

or as

header proto[offset:size] & integer comp value-list

This compares the value found at the given position of the packet header with a list of values. offset defines the position of the value within the header of the protocol defined by proto (which can ip, tcp, udp oricmp. size is either 1, 2, or 4 and specifies the value to have a size of this many bytes. If the optinal & integer is given, the packet's value is first masked with the integer before it is compared to the value-list. comp is one of ==, !=, <, <=, >, >=. value-list is a list of comma-separated integers similar to those described above. The integers within the list may be followed by an additional /mask where mask is a value from 0 to 32. This correponds to the CIDR notation for netmasks and is translated into a corresponding bitmask which is applied to the packet's value prior to the comparision (similar to the optional & integer).

Putting all together, this is an example which is aequivalent to dst-ip == 1.2.3.4/16, 5.6.7.8/24:

header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24