Overview
The foregoing **content** detection and **pcre** detection are detection of feature strings. When you want to detect the fields of the numeric type, you can write numeric detection rules. The general format of numeric detection syntax supported by the third-generation engine is as follows: ``` [value field]:[comparison symbol][value]; ``` 1. <font color =red>[value field]</font>: Name of a numeric detection field. In the third-generation engine, numeric detection fields are classified into the following types: - dsize, ssize, and fsize: Indicate the data packet payload size, session load size, and file load size respectively. For example: ``` dsize:>1000; ``` If the payload size of a data packet is greater than 1000 bytes, the rule is matched. - Protocol field of the **value** type: There are three types of protocol field, **content** (character string), **value** (numeric), and **length**. The **http_content_length** field indicates the value of the **Content-Length** field in the HTTP header. For example: ``` http_content_length:1460; ``` If the **Content-Length** field of the traffic to be detected is 1460, the rule is matched. - Protocol field of the **length** type: Each protocol field of the character string type has a corresponding field of the length type. The field of the length type corresponding to **http_host** is **http_host_len**. For example: ``` http_host_len:1000<>1260; ``` When the content length of the Host field is between 1000 and 1260, the rule is matched. 2. <font color=red>[comparison symbol]</font>: Comparison symbols. The third-generation engine supports the following five types of comparison symbols: - \>n: greater than n \< n: smaller than n - n\<>m: between n and m, that is, greater than n and smaller than m - n: equal to n - !n: not equal to n