System variables
System variables are connection variables whose values are set by the Engine.
$dport
and $offset
. The $dport
variable contains the destination port of the connection/datagram, and it is useful especially in: - “Any Application Protocols” contexts, which receive all traffic (any TCP/UDP port).
- Unknown Application Protocols” contexts, which receive traffic that does not have a dedicated, protocol-specific context (mostly high TCP/UDP ports).
$offset
variable contains the number of bytes that have been matched since the beginning of the traffic stream. The following table lists all system variables. Sequence | Description |
---|---|
$major
|
The major version number of the Engine. |
$minor
|
The minor version number of the Engine. |
$patch
|
The patch level number of the Engine. |
$build
|
The build number of the Engine. |
$dir |
32-bit integer type expression that is evaluated to the current direction of the current fingerprinted data. The expression returns the following values:
Note: The value is relative to direction from which the connection was established. If a connection was detected while it was in progress, the value might not correspond to
the actual client or server direction.
|
$dport
|
The current destination port of the connection. For TCP, |
$icmp_code |
A 32-bit integer type expression that is evaluated to the current ICMP code number of the connection. |
$icmp_type |
A 32-bit integer type expression that is evaluated to the current ICMP type number of the connection. |
$ipproto |
A a 32-bit integer type expression that is evaluated to the current IP-protocol number of the connection. |
$offset
|
The byte that is under inspection when counted from the beginning of the traffic stream. For implementation-specific reasons, the value is increased only after the first byte of a traffic stream (after the first byte, the value is still |
$parse_length@32
|
Number of digits parsed by last |
$sport |
A 32-bit integer type expression that is evaluated to the current source port of the connection. |
Example of system variable use
# This regular expression matches
# if hexadecimal bytes "0x01", "0x02",
# and "0x03" are seen in port 5000
.*\x01\x02\x03(?[$dport==5000 -> sid()])