Getting Started
The detection rules used by the third-generation engine are composed of the basic flow information and the items to be detected. Basic flow information can specify the detection direction and scope. For the items to be detected, **content** is used for feature string matching, **pcre** is used for regular expression matching, the numeric detection field is used for value detection, and the Byte_Test rule is used for byte matching. A simple example is as follows: ``` flow: from_client, message; pkt_data; content:”/index.html”; http_uri; fast_pattern; content:”test”; nocase; http_user_agent; urilen:>512; pcre:” /id=[0-9]{5,10}/Ui”; ``` The elements in the rule example are described as follows: [1] <font color=red>`flow: from_client `</font>: traffic direction. The request message sent from the client is detected. [2] <font color=red>`message `</font>: detection scope, which is message. The detection scope also can be session or packet. [3] <font color=red>`pkt_data `</font>: detection content, which is traffic content. The detection content also can be **file_data**, which indicates that the detection content is file content. [4] <font color=red>`content:"/index.html"; http_uri; fast_pattern; `</font>: The URI field in the HTTP header matches **/index.html**. **fast_pattern** is used to modify a **content** feature string, indicating that the feature string has the most obvious threat characteristics and is preferentially matched during pre-filtering. [5] <font color=red>`content:"test"; nocase; http_user_agent; `</font>: The User-Agent field in the HTTP header matches the **test** string and is case-insensitive. [6] <font color=red>`urilen:>512 `</font>: The check item can be matched only when the length of the URI is greater than 512. [7] <font color=red>` pcre:" /id=[0-9]{5,10}/Ui"`</font>: Regular expression matching is used to check whether the URI field matches the PCRE rule, and the matching is case-insensitive (**U** indicates the URI field and **i** indicates case-insensitive). If all the preceding conditions are met, the packet matches the signature rule. The IPS third-generation engine responds based on the signature action. The preceding rules are simple examples only. Other detection items supported by the third-generation engine will be described in detail later.