@@ -25399,6 +25671,16 @@ string
file_type.~: list of file type IDs to match
+int finalize_packet.end_pdu = 0: Deregister for finalize packet events on this PDU { 0:max32 }
+
+
+
+
+int finalize_packet.start_pdu = 0: Register to receive finalize packet event starting on this PDU { 0:max32 }
+
+
+
+
string flags.~mask_flags: these flags are don’t cares
@@ -25694,12 +25976,12 @@ bool
high_availability.enable = false: enable high availability
-real high_availability.min_age = 1.0: minimum session life before HA updates { 0.0:100.0 }
+real high_availability.min_age = 1.0: minimum session life in seconds before HA updates { 0.0:100.0 }
-real high_availability.min_sync = 1.0: minimum interval between HA updates { 0.0:100.0 }
+real high_availability.min_sync = 0.1: minimum interval in seconds between HA updates { 0.0:100.0 }
@@ -25809,6 +26091,11 @@ implied http_header.with_trailer: parts of this rule examine HT
+bool http_inspect.accelerated_blocking = false: inspect JavaScript in response messages as soon as possible
+
+
+
+
bool http_inspect.backslash_to_slash = false: replace \ with / when normalizing URIs
@@ -25859,12 +26146,12 @@ string
http_inspect.iis_unicode_map_file: file containing code
-int http_inspect.max_javascript_whitespaces = 200: maximum consecutive whitespaces allowed within the Javascript obfuscated data { 1:65535 }
+int http_inspect.max_javascript_whitespaces = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 }
-bool http_inspect.normalize_javascript = false: normalize javascript in response bodies
+bool http_inspect.normalize_javascript = false: normalize JavaScript in response bodies
@@ -27344,11 +27631,6 @@ implied regex.relative: start search from end of last match ins
-bool reg_test.test_daq_retry = true: test daq packet retry feature
-
-
-
-
enum reject.control: send ICMP unreachable(s) { network|host|port|forward|all }
@@ -27419,6 +27701,26 @@ bool
rewrite.disable_replace = false: disable replace of packet
+string rna.custom_fingerprint_dir: directory to custom fingerprint patterns
+
+
+
+
+string rna.fingerprint_dir: directory to fingerprint patterns
+
+
+
+
+string rna.rna_conf_path: path to RNA configuration
+
+
+
+
+string rna.rna_util_lib_path: path to library for utilities such as fingerprint decoder
+
+
+
+
int rpc.~app: application number { 0:max32 }
@@ -27434,6 +27736,11 @@ string
rpc.~ver: version number or * for any
+bool rt_packet.test_daq_retry = true: test daq packet retry feature
+
+
+
+
enum rule_state.([0-9]+):([0-9]+)[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }
@@ -28444,6 +28751,11 @@ string
soid.~: SO rule ID is unique key, eg <gid>_<sid
+implied so.relative: offset from cursor instead of start of buffer
+
+
+
+
int ssh.max_client_bytes = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }
@@ -29819,11 +30131,36 @@ interval
wscale.~range: check if TCP window scale is in given r
+detection.offload_busy: times offload was not available (sum)
+
+
+
+
+detection.offload_failures: fast pattern offload search failures (sum)
+
+
+
+
+detection.offload_fallback: fast pattern offload search fallback attempts (sum)
+
+
+
+
detection.offloads: fast pattern searches that were offloaded (sum)
+detection.offload_suspends: fast pattern search suspends due to offload context chains (sum)
+
+
+
+
+detection.onload_waits: times processing waited for onload to complete (sum)
+
+
+
+
detection.passed: passed packets (sum)
@@ -29959,6 +30296,16 @@ interval
wscale.~range: check if TCP window scale is in given r
+finalize_packet.events: total events seen (sum)
+
+
+
+
+finalize_packet.pdus: total PDUs seen (sum)
+
+
+
+
ftp_data.packets: total packets (sum)
@@ -30009,7 +30356,67 @@ interval
wscale.~range: check if TCP window scale is in given r
-high_availability.packets: total packets (sum)
+high_availability.client_consume_errors: client data consume failure count (sum)
+
+
+
+
+high_availability.daq_imports: states imported via daq (sum)
+
+
+
+
+high_availability.daq_stores: states stored via daq (sum)
+
+
+
+
+high_availability.delete_msgs_consumed: deletion messages consumed (sum)
+
+
+
+
+high_availability.msg_length_mismatch: messages received with an inconsistent total length (sum)
+
+
+
+
+high_availability.msgs_recv: total messages received (sum)
+
+
+
+
+high_availability.msg_version_mismatch: messages received with a version mismatch (sum)
+
+
+
+
+high_availability.truncated_msgs: truncated messages received (sum)
+
+
+
+
+high_availability.unknown_client_idx: messages received with an unknown client index (sum)
+
+
+
+
+high_availability.unknown_key_type: messages received with an unknown flow key type (sum)
+
+
+
+
+high_availability.update_msgs_consumed: update messages fully consumed (sum)
+
+
+
+
+high_availability.update_msgs_recv_no_flow: update messages received without a local flow (sum)
+
+
+
+
+high_availability.update_msgs_recv: update messages received (sum)
@@ -30099,6 +30506,11 @@ interval wscale.~range: check if TCP window scale is in given r
+http_inspect.detained_packets: TCP packets delayed by accelerated blocking (sum)
+
+
+
+
http_inspect.flows: HTTP connections inspected (sum)
@@ -30134,6 +30546,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+http_inspect.partial_inspections: pre-inspections for accelerated blocking (sum)
+
+
+
+
http_inspect.post_requests: POST requests inspected (sum)
@@ -30749,42 +31166,62 @@ interval
wscale.~range: check if TCP window scale is in given r
-reg_test.packets: total packets (sum)
+reputation.blacklisted: number of packets blacklisted (sum)
-reg_test.retry_packets: total retried packets received (sum)
+reputation.memory_allocated: total memory allocated (sum)
-reg_test.retry_requests: total retry packets requested (sum)
+reputation.monitored: number of packets monitored (sum)
-reputation.blacklisted: number of packets blacklisted (sum)
+reputation.packets: total packets processed (sum)
-reputation.memory_allocated: total memory allocated (sum)
+reputation.whitelisted: number of packets whitelisted (sum)
-reputation.monitored: number of packets monitored (sum)
+rna.icmp: count of ICMP packets received (sum)
-reputation.packets: total packets processed (sum)
+rna.ip: count of IP packets received (sum)
-reputation.whitelisted: number of packets whitelisted (sum)
+rna.other_packets: count of packets received without session tracking (sum)
+
+
+
+
+rna.tcp_midstream: count of TCP midstream packets received (sum)
+
+
+
+
+rna.tcp_syn_ack: count of TCP SYN-ACK packets received (sum)
+
+
+
+
+rna.tcp_syn: count of TCP SYN packets received (sum)
+
+
+
+
+rna.udp: count of UDP packets received (sum)
@@ -30804,6 +31241,41 @@ interval wscale.~range: check if TCP window scale is in given r
+rt_packet.packets: total packets (sum)
+
+
+
+
+rt_packet.retry_packets: total retried packets received (sum)
+
+
+
+
+rt_packet.retry_requests: total retry packets requested (sum)
+
+
+
+
+rt_service.flush_requests: total splitter flush requests (sum)
+
+
+
+
+rt_service.hold_requests: total splitter hold requests (sum)
+
+
+
+
+rt_service.packets: total packets (sum)
+
+
+
+
+rt_service.search_requests: total splitter search requests (sum)
+
+
+
+
sd_pattern.below_threshold: sd_pattern matched but missed threshold (sum)
@@ -31529,6 +32001,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+stream_tcp.cur_packets_held: number of packets currently held (now)
+
+
+
+
stream_tcp.data_trackers: tcp session tracking started on data (sum)
@@ -31584,6 +32061,26 @@ interval
wscale.~range: check if TCP window scale is in given r
+stream_tcp.held_packet_limit_exceeded: number of times limit of max held packets exceeded (sum)
+
+
+
+
+stream_tcp.held_packet_rexmits: number of retransmits of held packets (sum)
+
+
+
+
+stream_tcp.held_packets_dropped: number of held packets dropped (sum)
+
+
+
+
+stream_tcp.held_packets_passed: number of held packets passed (sum)
+
+
+
+
stream.tcp_idle_prunes: tcp sessions pruned due to timeout (sum)
@@ -31614,6 +32111,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+stream_tcp.max_packets_held: maximum number of packets held simultaneously (max)
+
+
+
+
stream.tcp_memcap_prunes: tcp sessions pruned due to memcap (sum)
@@ -31629,6 +32131,21 @@ interval
wscale.~range: check if TCP window scale is in given r
+stream_tcp.packets_held: number of packets held (sum)
+
+
+
+
+stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
+
+
+
+
+stream_tcp.partial_flushes: number of partial flushes initiated (sum)
+
+
+
+
stream.tcp_preemptive_prunes: tcp sessions pruned during preemptive pruning (sum)
@@ -35537,6 +36054,11 @@ deleted -> unified2: 'vlan_event_types'
+finalize_packet (inspector): handle the finalize packet event
+
+
+
+
flags (ips_option): rule option to test TCP control flags
@@ -36012,11 +36534,6 @@ deleted -> unified2: 'vlan_event_types'
-reg_test (inspector): The regression test inspector (rti) is used when special packet handling is required for a reg test
-
-
-
-
regex (ips_option): rule option for matching payload data with hyperscan regex
@@ -36052,6 +36569,11 @@ deleted -> unified2: 'vlan_event_types'
+rna (inspector): Real-time network awareness and OS fingerprinting (experimental)
+
+
+
+
rpc (ips_option): rule option to check SUNRPC CALL parameters
@@ -36062,6 +36584,16 @@ deleted -> unified2: 'vlan_event_types'
+rt_packet (inspector): The regression test packet inspector is used when special packet handling is required for a reg test
+
+
+
+
+rt_service (inspector): The regression test service inspector is used by regression tests that require custom service inspector support.
+
+
+
+
rule_state (basic): enable/disable and set actions for specific IPS rules
@@ -36632,6 +37164,11 @@ deleted -> unified2: 'vlan_event_types'
+inspector::finalize_packet: handle the finalize packet event
+
+
+
+
inspector::ftp_client: FTP inspector client module
@@ -36702,12 +37239,12 @@ deleted -> unified2: 'vlan_event_types'
-inspector::reg_test: The regression test inspector (rti) is used when special packet handling is required for a reg test
+inspector::reputation: reputation inspection
-inspector::reputation: reputation inspection
+inspector::rna: Real-time network awareness and OS fingerprinting (experimental)
@@ -36717,6 +37254,16 @@ deleted -> unified2: 'vlan_event_types'
+inspector::rt_packet: The regression test packet inspector is used when special packet handling is required for a reg test
+
+
+
+
+inspector::rt_service: The regression test service inspector is used by regression tests that require custom service inspector support.
+
+
+
+
inspector::sip: sip inspection
@@ -37423,632 +37970,6 @@ deleted -> unified2: 'vlan_event_types'