System variables

System variables are connection variables whose values are set by the Engine.

A regular expression can only read the value of these variables. The two most commonly used variables are $dport and $offset. The $dport variable contains the destination port of the connection/datagram, and it is useful especially in:
  • “Any Application Protocols” contexts, which receive all traffic (any TCP/UDP port).
  • Unknown Application Protocols” contexts, which receive traffic that does not have a dedicated, protocol-specific context (mostly high TCP/UDP ports).
The $offset variable contains the number of bytes that have been matched since the beginning of the traffic stream. The following table lists all system variables.
Table 1. System variables
Sequence Description
$major The major version number of the Engine.
$minor The minor version number of the Engine.
$patch The patch level number of the Engine.
$build The build number of the Engine.
$dir 32-bit integer type expression that is evaluated to the current direction of the current fingerprinted data. The expression returns the following values:
  • 0 — Client direction
  • 1 — Server direction
Note: The value is relative to direction from which the connection was established. If a connection was detected while it was in progress, the value might not correspond to the actual client or server direction.
$dport

The current destination port of the connection.

For TCP, $dport is the destination port of the SYN packet. For UDP, $dport is the destination port of the first UDP packet sent between two hosts.

$icmp_code A 32-bit integer type expression that is evaluated to the current ICMP code number of the connection.
$icmp_type A 32-bit integer type expression that is evaluated to the current ICMP type number of the connection.
$ipproto A a 32-bit integer type expression that is evaluated to the current IP-protocol number of the connection.
$offset

The byte that is under inspection when counted from the beginning of the traffic stream.

For implementation-specific reasons, the value is increased only after the first byte of a traffic stream (after the first byte, the value is still 0). For this reason, the value of $offset is actually the real offset minus one.

$parse_length@32

Number of digits parsed by last parse_dec(), parse_hex(), parse_oct(), or parse_in() expression.

$sport A 32-bit integer type expression that is evaluated to the current source port of the connection.

Example of system variable use

# This regular expression matches
# if hexadecimal bytes "0x01", "0x02",
# and "0x03" are seen in port 5000
.*\x01\x02\x03(?[$dport==5000 -> sid()])