Query about custom rule

hi everyone,

alert http any 49172 → any any (msg:“IPS-INLINE test”; content:“|00 84 95 C7 00 00 83 00 b7 8f 65 37 06 70 d8 12|”; id:1234567;)


here i am trying to match the hex values marked in the TCP segment data( in the above screenshot) using a custom rule, can i expect this to trigger an alert. ?

Is it HTTP traffic with that source port?
You could also check the flow and http event log if it was properly detected.
We would need more details to tell.

hi andreas

thanks for the reply, i am replaying a pcap it has the source port of 49172 . please see 71st packet in the below screenhot .


Can you provide the pcap?

You also have alert http which would match on HTTP but so far I see just TCP and not if it’s HTTP.

output.pcap (92.7 KB) please see the pcap there are two flows in it. thats why i was giving the source port.

So matching on the packet 71 would need that you start with the segment data and also the port is destination and not source. Also id is not correct, you need to use sid for the signature id.

This rule for example works on your pcap:

alert http any any -> any 49172 (msg:"IPS-INLINE test"; content:"|83 00 b7 8f 65 37 06 70 d8 12|"; sid:1234567; rev:1;)

  "timestamp": "2017-08-23T16:47:35.097638+0200",
  "flow_id": 1423670934313130,
  "pcap_cnt": 76,
  "event_type": "alert",
  "src_ip": "",
  "src_port": 80,
  "dest_ip": "",
  "dest_port": 49172,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1234567,
    "rev": 1,
    "signature": "IPS-INLINE test",
    "category": "",
    "severity": 3
  "http": {},
  "app_proto": "http",
  "direction": "to_client",
  "flow": {
    "pkts_toserver": 24,
    "pkts_toclient": 52,
    "bytes_toserver": 9810,
    "bytes_toclient": 32596,
    "start": "2017-08-23T16:47:33.265938+0200",
    "src_ip": "",
    "dest_ip": "",
    "src_port": 49172,
    "dest_port": 80

thanks a lot i didnt match the ports in the right way. id instead of sid was a typo when created the topic here…

thanks Cherish

1 Like

hi andreas
i am able to generate the alert,

Few ending bytes of 71st packet + few beginning bytes of 72th packet. i have reassembly-depth of 1mb , if i use reassembly depth of 10kb the detection did not happen. mode used is ips-inline.

alert http any any → any 49172 (msg:“IPS-INLINE test”; content:“|76 00 54 76 75 32 01 bf a5 b2 76 26 21 0e 1d 38 ae 7e 3b 35 80 9e 95 6b 72 20 6a 63 00 f5 d5 b8 36 9d 56 9b 78 61 0e aa df c5 35 96 b5 10 8d c4 e5 60 76 d0 7b d2 b6 13 0f c6 93 42 cc 64 90 90 54 33 43 97|”; sid:1234567; rev:1;)


Why would you set such a low reassembly depth?

for saving the resource in terms of memory, depending how much memory is available on different platforms!

could you share what may be a reasonable value for reassembly depth something neither too low nor too high


This depends a lot on your scenario and usecase, but 1mb is already a very low default. I wouldn’t go below it.

thank you for all the responses!