No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
condition (user-defined signature rule view)

condition (user-defined signature rule view)

Function

The condition command configures a matching condition of a user-defined signature rule.

The undo condition command deletes a matching condition from a user-defined signature rule.

Format

condition [ condition-id ] field field-name operate { equal | gthan | lthan | noequal } value value-content [ direction direction | qualifier http-method http-method ] *

condition [ condition-id ] field field-name operate pmatch value value-content [ offset { offset-value | begin } ] [ depth depth-value ] [ direction direction | qualifier http-method http-method ] *

undo condition { condition-id | all }

Parameters

Parameter Description Value
condition-id

Specifies the ID of a condition.

The value is an integer ranging from 1 to 4.

field field-name

Specify a protocol field to be checked.

After you run the protocol command in the user-defined IPS signature view, you can check the field of the specified protocol. The default protocol of a user-defined signature is HTTP. Therefore, the field-name is the HTTP protocol field.

operate { equal | gthan | lthan | noequal }

Indicates the comparison action.

  • equal indicates that the value of field-name equals to the value of value-content.
  • gthan indicates that the value of field-name is greater than the value of value-content.
  • lthan indicates that the value of field-name is less than the value of value-content.
  • noequal indicates that the value of field-name does not equal to the value of value-content.
value value-content

Specifies the field value.

  • If you set field-name to DNS.RR.A.Address, the value is an IPv4 address in dotted decimal notation.
  • If you set field-name to MSRPC.Interface, the value is a hexadecimal string of 32 characters.
  • If you set field-name to other value:
    • If you set operate to pmatch, the value is a string of 7 to 127 characters.

      If the keyword contains any space and question mark (?), the value is a string of 9 to 129 characters and must be enclosed with double quotation marks (""), for example, "abcd wd?". If the keyword contains quotation marks, replace the quotation marks with \x22, for example, to set keyword abc"ddd, enter abc\x22ddd.

    • If you set operate to another value, the value is an integer ranging from 0 to 4294967295.
operate pmatch

Sets the comparison action to pattern matching.

If the field-name field contains the value-content string, the condition is matched.

offset offset-value

Specifies the offset of pattern matching.

The value is an integer ranging from 0 to 65535. The default value is 0, indicating that a match is searched for from the start location of the field-name field. As long as a match of the value-content value is found in the depth-value range, the user-defined signature rule is matched. When the offset-value is 1, a match is searched for from the second byte of the field-name field. As long as a match of the value-content value is found in the depth-value range, the user-defined signature rule is matched.

  • If field-name is set to MSRPC.Interface, the offset offset-value parameter cannot be specified.

  • If field-name is not set to MSRPC.Interface and operate is not pmatch, the offset offset-value parameter cannot be specified.

  • If field-name is not set to MSRPC.Interface but operate is pmatch, the offset offset-value parameter can be specified.

begin

Implements pattern match from the start location of the field-name field. The user-defined signature rule is matched only when a match of the value-content value is found.

-

depth depth-value

Specifies the depth of pattern matching.

The value is an integer ranging from 7 to 65535. The value of depth-value must be greater than the number of characters in value-content.

If offset-value is 1 and depth-value is 10, the matching starts from the second byte of the field-name field and 10 bytes will be matched. The matching succeeds as long as the value-content is within the specified range.

  • If field-name is set to MSRPC.Interface, the depth depth-value parameter cannot be specified.

  • If field-name is not set to MSRPC.Interface and operate is not pmatch, the depth depth-value parameter cannot be specified.

  • If field-name is not set to MSRPC.Interface but operate is pmatch, the depth depth-value parameter can be specified.

direction direction Specifies the packet check direction.

The direction can be:

  • both

    Packets from the client and server are checked.

  • from-client

    Packets from the client are checked.

  • from-server

    Packets from the server are checked.

both is the default configuration, and packets from the client and server are checked.

qualifier Indicates the qualifier information.

-

http-method http-method Checks the Method field of HTTP.

Supported HTTP methods include GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT, TRACE, LINK, UNLINK, PATCH, MOVE, COPY, WRAPPED, PROFIND, and PROPPATCH.

As for user-defined signature rule check items, you can configure only one HTTP Method check item and only one method.

all

Indicates all conditions.

-

Views

User-defined signature rule view

Default Level

2: Configuration level

Usage Guidelines

If condition-id is not specified, the system automatically sets the IDs to the missing numbers in ascending order. For example, conditions 1, 3, and 4 already exist in the system, and another condition is created but the condition-id is not specified. In this case, the system automatically sets the ID of the new condition to 2.

Example

# Create user-defined signature rule hello in user-defined signature 1. Configure condition 1 to check field HTTP.Authorization whose value matches threat_string, and condition 2 to check field HTTP.Content-Length whose value is equal to 111.

<Huawei> system-view
[Huawei] ips signature-id 1
[Huawei-ips-signature-1] protocol HTTP  
[Huawei-ips-signature-1] rule name hello
[Huawei-ips-signature-1-rule-hello] condition 1 field HTTP.Authorization operate pmatch value threat_string
[Huawei-ips-signature-1-rule-hello] condition 2 field HTTP.Content-Length operate equal value 111

# Create user-defined signature rule hello in user-defined signature 2. Configure condition 1 to check the HTTP.Authorization field that matches threat_string and set the offset to 1 and depth to 10.

<Huawei> system-view
[Huawei] ips signature-id 2
[Huawei-ips-signature-2] protocol HTTP
[Huawei-ips-signature-2] rule name hello
[Huawei-ips-signature-2-rule-hello] condition 1 field HTTP.Authorization operate pmatch value threat_string offset 1 depth 10
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 196800

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next