Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1166
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
To specify GTP message types:
A
CCESS
: Admin/Intrusion Admin
1. On the Create Rule page, select gtp_type in the drop-down list and click Add
Option.
The
The
gtp_type
keyword appears.
2. Specify a defined decimal value 0 to 255 for the message type, a defined
string, or a comma-separated list of either or both in any combination. See
on page 1159 for values and strings recognized
by the system.
gtp_info
A GTP message can include multiple information elements, each of which is
identified by both a defined numeric value and a defined string. You can use the
gtp_info
keyword in combination with the
gtp_version
keyword to start
inspection at the beginning of a specified information element and restrict
inspection to the specified information element.
You can specify either the defined decimal value or the defined string for an
You can specify either the defined decimal value or the defined string for an
information element. You can specify a single value or string, and you can use
multiple
gtp_info
keywords in a rule to inspect multiple information elements.
When a message includes multiple information elements of the same type, all are
inspected for a match. When information elements occur in an invalid order, only
the last instance is inspected.
Note that different GTP versions sometimes use different values for the same
Note that different GTP versions sometimes use different values for the same
information element. For example, the
cause
information element has a value of
1 in GTPv0 and GTPv1, but a value of 2 in GTPv2.
The
The
gtp_info
keyword matches different values depending on the version
number in the packet. In the example above, the keyword matches the
information element value 1 in a GTPv0 or GTPv1 packet and the value 2 in a
GTPv2 packet. The keyword does not match a packet when the information
element value in the packet is not a known value for the version specified in the
packet.
If you specify an integer for the information element, the keyword matches if the
If you specify an integer for the information element, the keyword matches if the
message type in the keyword matches the value in the GTP packet, regardless of
the version specified in the packet.