1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
IKE Keywords
============
The keywords
* ``ike.init_spi``
* ``ike.resp_spi``
* ``ike.chosen_sa_attribute``
* ``ike.exchtype``
* ``ike.vendor``
* ``ike.key_exchange_payload``
* ``ike.key_exchange_payload_length``
* ``ike.nonce_payload``
* ``ike.nonce_payload_length``
can be used for matching on various properties of IKE connections.
ike.init_spi, ike.resp_spi
--------------------------
Match on an exact value of the Security Parameter Index (SPI) for the Initiator or Responder.
Examples::
ike.init_spi; content:"18fe9b731f9f8034";
ike.resp_spi; content:"a00b8ef0902bb8ec";
``ike.init_spi`` and ``ike.resp_spi`` are 'sticky buffer'.
``ike.init_spi`` and ``ike.resp_spi`` can be used as ``fast_pattern``.
ike.chosen_sa_attribute
-----------------------
Match on an attribute value of the chosen Security Association (SA) by the Responder. Supported for IKEv1 are:
``alg_enc``,
``alg_hash``,
``alg_auth``,
``alg_dh``,
``alg_prf``,
``sa_group_type``,
``sa_life_type``,
``sa_life_duration``,
``sa_key_length`` and
``sa_field_size``.
IKEv2 supports ``alg_enc``, ``alg_auth``, ``alg_prf`` and ``alg_dh``.
If there is more than one chosen SA the event ``MultipleServerProposal`` is set. The attributes of the first SA are used for this keyword.
Examples::
ike.chosen_sa_attribute:alg_hash=2;
ike.chosen_sa_attribute:sa_key_length=128;
ike.exchtype
------------
Match on the value of the Exchange Type.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
* ``arg1-arg2`` (range)
Examples::
ike.exchtype:5;
ike.exchtype:>=2;
ike.vendor
----------
Match a vendor ID against the list of collected vendor IDs.
Examples::
ike.vendor:4a131c81070358455c5728f20e95452f;
``ike.vendor`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
ike.key_exchange_payload
------------------------
Match against the public key exchange payload (e.g. Diffie-Hellman) of the server or client.
Examples::
ike.key_exchange_payload; content:"|6d026d5616c45be05e5b898411e9|"
``ike.key_exchange_payload`` is a 'sticky buffer'.
``ike.key_exchange_payload`` can be used as ``fast_pattern``.
ike.key_exchange_payload_length
-------------------------------
Match against the length of the public key exchange payload (e.g. Diffie-Hellman) of the server or client.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
* ``arg1-arg2`` (range)
Examples::
ike.key_exchange_payload_length:>132
ike.nonce_payload
-----------------
Match against the nonce of the server or client.
Examples::
ike.nonce_payload; content:"|6d026d5616c45be05e5b898411e9|"
``ike.nonce_payload`` is a 'sticky buffer'.
``ike.nonce_payload`` can be used as ``fast_pattern``.
ike.nonce_payload_length
------------------------
Match against the length of the nonce of the server or client.
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
* ``arg1-arg2`` (range)
Examples::
ike.nonce_payload_length:132
ike.nonce_payload_length:>132
Additional information
----------------------
More information on the protocol and the data contained in it can be found here:
`<https://tools.ietf.org/html/rfc2409>`_
|
