ip and port Fields
Some attacks may take effect only on specific ports or IP addresses. If users want to specify the port and IP address to be detected, they can use the **ip** and **port** fields. #### ip Field Syntax format of the **ip** field: ip: {src|dst}, {!}, <ip-address>; Description of keywords: | Keyword | Description | | ---------- | ------------------------------------------------------------ | | ip | Declares the **ip** detection field. | | src | Checks the source IP address when the current flow is set up. | | dst | Checks the destination IP address when the current flow is set up. | | ! | "Not equal to" operator. The "equal to" operator is used for comparison by default. | | ip-address | Specifies the IP address to be matched. The value can be an IPv4 or IPv6 address. A specific IP address or an IP address range can be specified. A maximum of eight values are supported. | Example 1: ``` content:"hello"; ip:src, 127.0.0.1, 127.0.1.1/24, 127.0.2.1-127.0.2.255; ``` As shown in example 1, if the current traffic matches the **hello** feature string and the initiator's IP address of the current traffic is 127.0.0.1 or within the range of 127.0.1.1/24 or 127.0.2.1 to 127.0.2.255 (including 127.0.2.1 and 127.0.2.255), the rule is matched. Example 2: ``` content:"hello"; ip:dst, !, 128.10.0.1, AD80:AD71:0000:0000:0000:0000:0001:0002-AD81:0000:0000:0000:0000:0000:0000:FFFF; ``` As shown in example 2, if the current traffic matches the **hello** feature string and the responder's IP address of the current traffic is not 128.10.0.1 or is beyond the range of AD80:AD71:0000:0000:0000:0000:0001:0002 to AD81:0000:0000:0000:0000:0000:0000:FFFF, the rule is matched. **Restrictions:** - When writing the **ip** field, **src** or **dst** must be configured to specify the source IP address or destination IP address of the first packet. - ! When the operator is not specified, the "equal to" operator is used for comparison by default. Note that in a rule, only one comparison operation (either "equal to" or "not equal to") can be specified in a detection direction of an IP address. For example, " ip: src, ! ,127.0.0.1; ip:src, 127.0.0.2; " is incorrect. - A maximum of eight IP addresses (IPv4 or IPv6) can be configured, and both mask and IP address range formats are supported. Note that the mask format and range format cannot be used together. For example, "ip: src, 127.0.0.1/24-128.0.0.1/24; " is incorrect. - The subnet mask must be an integer. For example, if 127.0.0.1 uses 255.255.255.0 as the subnet mask, write down 127.0.0.1/24. #### port Field Format of the **port** field: ``` port: {src|dst}, { !|>|< }, <port-num>; ``` Description of keywords: | Keyword | Description | | -------- | ---------------------------------------------- | | port | Declares the **port** detection field. | | src | Checks the source port when the current flow is set up. | | dst | Checks the destination port when the current flow is set up. | | ! | "Not equal to" operator. The "equal to" operator is used for comparison by default. A port range can be configured. | | > | "Greater than" operator. Only one port number can be configured following this operator. | | < | "Smaller than" operator. Only one port number can be configured following this operator. | | port-num | Port number. | Example 1: ``` content:"hello"; port:src, 80, 8080, 8001, 8005-8009; ``` As shown in example 1, if the current traffic matches the **hello** feature string and the source port number of the current traffic is 80, 8080, or 8001, or within the range of 8005 to 8009 (including 8005 and 8009), the rule is matched. Example 2: ``` content:"hello"; port:dst, >, 8001; ``` As shown in example 2, if the current traffic matches the **hello** feature string and the destination port number of the current traffic is greater than 8001, the rule is matched. **Restrictions:** - When writing the **port** field, **src** or **dst** must be configured to specify the source port or destination port of the first packet. - Only one port number can be configured following the "greater than" or "smaller than" operator. - A maximum of eight port numbers can be configured. In a rule, only one comparison operation (equal to, not equal to, greater than, or smaller than) can be specified in a detection direction of a port.