Unsupported Snort Keywords in Protocol Inspection
Protocol Inspection custom rules use a subset of keywords from Snort rules syntax. The AFM Manual Snort rule reference lists things you CAN use, but during a call with a customer it came up that it would be useful to call out things you CAN'T use. I went through the items in the Payload Detection Rule Options section of the Snort manual and found the following:
Unsupported Snort Keywords
- protected_content
- hash
- length
- rawbytes
- http_raw_cookie
- http_raw_header
- http_raw_uri
- http_stat_code #support is intended, but a validation bug prevents use
- http_stat_msg #support is intended, but a validation bug prevents use
- http_encode
- fast_pattern #this is an allowed but ignored keyword. It is not relevant to the PI signature engine.
- uricontent
- urilen
- isdataat
- pkt_data
- file_data
- base64_decode
- base64_data
- byte_extract
- byte_math
- ftp_bounce
- asn1
- cvs
- dce_iface
- dce_opnum
- dce_stub_data
- sip_method #see SIP family of compliance checks instead
- sip_stat_code #see SIP family of compliance checks instead
- sip_header #see SIP family of compliance checks instead
- sip_body #see SIP family of compliance checks instead
- gtp_type #see GTP family of compliance checks instead
- gtp_info #see GTP family of compliance checks instead
- gtp_version #see GTP family of compliance checks instead
- ssl_version
- ssl_state
For more information on using Protocol Inspection custom signatures, refer to the AFM Manual, and "Converting a Snort Rule to an AFM Protocol Inspection Custom Signature " here on DevCentral.
Updated Apr 01, 2022
Version 2.0