# tcp dport 22
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp dport != 233
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "!=",
"right": 233
}
}
]
# tcp dport 33-45
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp dport != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp dport { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp dport != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp dport { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp dport != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp dport {telnet, http, https} accept
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
"telnet",
"http",
"https"
]
}
}
},
{
"accept": null
}
]
# tcp dport vmap { 22 : accept, 23 : drop }
[
{
"vmap": {
"key": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"data": {
"set": [
[
22,
{
"accept": null
}
],
[
23,
{
"drop": null
}
]
]
}
}
}
]
# tcp dport vmap { 25:accept, 28:drop }
[
{
"vmap": {
"key": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"data": {
"set": [
[
25,
{
"accept": null
}
],
[
28,
{
"drop": null
}
]
]
}
}
}
]
# tcp dport { 22, 53, 80, 110 }
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
22,
53,
80,
110
]
}
}
}
]
# tcp dport != { 22, 53, 80, 110 }
[
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
22,
53,
80,
110
]
}
}
}
]
# tcp sport 22
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp sport != 233
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "!=",
"right": 233
}
}
]
# tcp sport 33-45
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp sport != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp sport { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp sport != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp sport { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp sport != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp sport vmap { 25:accept, 28:drop }
[
{
"vmap": {
"key": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"data": {
"set": [
[
25,
{
"accept": null
}
],
[
28,
{
"drop": null
}
]
]
}
}
}
]
# tcp sport 8080 drop
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": 8080
}
},
{
"drop": null
}
]
# tcp sport 1024 tcp dport 22
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": 1024
}
},
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp sport 1024 tcp dport 22 tcp sequence 0
[
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": 1024
}
},
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
},
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "==",
"right": 0
}
}
]
# tcp sequence 0 tcp sport 1024 tcp dport 22
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "==",
"right": 0
}
},
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": 1024
}
},
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "==",
"right": 0
}
},
{
"match": {
"left": {
"payload": {
"field": "sport",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
1024,
1022
]
}
}
},
{
"match": {
"left": {
"payload": {
"field": "dport",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp sequence 22
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp sequence != 233
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "!=",
"right": 233
}
}
]
# tcp sequence 33-45
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp sequence != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp sequence { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp sequence != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp sequence { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp sequence != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "sequence",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp ackseq 42949672 drop
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "==",
"right": 42949672
}
},
{
"drop": null
}
]
# tcp ackseq 22
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp ackseq != 233
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "!=",
"right": 233
}
}
]
# tcp ackseq 33-45
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp ackseq != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp ackseq { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp ackseq != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp ackseq { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp ackseq != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "ackseq",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
[
{
"match": {
"left": {
"payload": {
"field": "flags",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
"fin",
"syn",
"rst",
"psh",
"ack",
"urg",
"ecn",
"cwr"
]
}
}
},
{
"drop": null
}
]
# tcp flags != { fin, urg, ecn, cwr} drop
[
{
"match": {
"left": {
"payload": {
"field": "flags",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
"fin",
"urg",
"ecn",
"cwr"
]
}
}
},
{
"drop": null
}
]
# tcp flags cwr
[
{
"match": {
"left": {
"payload": {
"field": "flags",
"protocol": "tcp"
}
},
"op": "in",
"right": "cwr"
}
}
]
# tcp flags != cwr
[
{
"match": {
"left": {
"payload": {
"field": "flags",
"protocol": "tcp"
}
},
"op": "!=",
"right": "cwr"
}
}
]
# tcp flags == syn
[
{
"match": {
"left": {
"payload": {
"field": "flags",
"protocol": "tcp"
}
},
"op": "==",
"right": "syn"
}
}
]
# tcp flags & (syn|fin) == (syn|fin)
[
{
"match": {
"left": {
"&": [
{
"payload": {
"field": "flags",
"protocol": "tcp"
}
},
{
"|": [
"syn",
"fin"
]
}
]
},
"op": "==",
"right": {
"|": [
"syn",
"fin"
]
}
}
}
]
# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr
[
{
"match": {
"left": {
"&": [
{
"payload": {
"field": "flags",
"protocol": "tcp"
}
},
{
"|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ]
}
]
},
"op": "==",
"right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] }
}
}
]
# tcp window 22222
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "==",
"right": 22222
}
}
]
# tcp window 22
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp window != 233
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "!=",
"right": 233
}
}
]
# tcp window 33-45
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp window != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp window { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp window != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp window { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp window != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "window",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp checksum 22
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp checksum != 233
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "!=",
"right": 233
}
}
]
# tcp checksum 33-45
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp checksum != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp checksum { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp checksum != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp checksum { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp checksum != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp urgptr 1234 accept
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "==",
"right": 1234
}
},
{
"accept": null
}
]
# tcp urgptr 22
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "==",
"right": 22
}
}
]
# tcp urgptr != 233
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "!=",
"right": 233
}
}
]
# tcp urgptr 33-45
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp urgptr != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# tcp urgptr { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp urgptr != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# tcp urgptr { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp urgptr != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "urgptr",
"protocol": "tcp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# tcp doff 8
[
{
"match": {
"left": {
"payload": {
"field": "doff",
"protocol": "tcp"
}
},
"op": "==",
"right": 8
}
}
]