8.33. IKE Keywords

The keywords

  • ike.init_spi

  • ike.resp_spi

  • ike.chosen_sa_attribute

  • ike.exchtype

  • ike.vendor

  • ike.key_exchange_payload

  • ike.key_exchange_payload_length

  • ike.nonce_payload

  • ike.nonce_payload_length

can be used for matching on various properties of IKE connections.

8.33.1. ike.init_spi, ike.resp_spi

Match on an exact value of the Security Parameter Index (SPI) for the Initiator or Responder.

Examples:

ike.init_spi; content:"18fe9b731f9f8034";
ike.resp_spi; content:"a00b8ef0902bb8ec";

ike.init_spi and ike.resp_spi are 'sticky buffer'.

ike.init_spi and ike.resp_spi can be used as fast_pattern.

8.33.2. ike.chosen_sa_attribute

Match on an attribute value of the chosen Security Association (SA) by the Responder. Supported for IKEv1 are: alg_enc, alg_hash, alg_auth, alg_dh, alg_prf, sa_group_type, sa_life_type, sa_life_duration, sa_key_length and sa_field_size. IKEv2 supports alg_enc, alg_auth, alg_prf and alg_dh.

If there is more than one chosen SA the event MultipleServerProposal is set. The attributes of the first SA are used for this keyword.

Examples:

ike.chosen_sa_attribute:alg_hash=2;
ike.chosen_sa_attribute:sa_key_length=128;

8.33.3. ike.exchtype

Match on the value of the Exchange Type.

ike.exchtype uses an unsigned 8-bit integer.

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

  • > (greater than)

  • < (less than)

  • >= (greater than or equal)

  • <= (less than or equal)

  • arg1-arg2 (range)

Examples:

ike.exchtype:5;
ike.exchtype:>=2;

8.33.4. ike.vendor

Match a vendor ID against the list of collected vendor IDs.

Examples:

ike.vendor:4a131c81070358455c5728f20e95452f;

ike.vendor supports multiple buffer matching, see Multiple Buffer Matching.

8.33.5. ike.key_exchange_payload

Match against the public key exchange payload (e.g. Diffie-Hellman) of the server or client.

Examples:

ike.key_exchange_payload; content:"|6d026d5616c45be05e5b898411e9|"

ike.key_exchange_payload is a 'sticky buffer'.

ike.key_exchange_payload can be used as fast_pattern.

8.33.6. ike.key_exchange_payload_length

Match against the length of the public key exchange payload (e.g. Diffie-Hellman) of the server or client.

ike.key_exchange_payload_length uses an unsigned 32-bit integer.

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

  • > (greater than)

  • < (less than)

  • >= (greater than or equal)

  • <= (less than or equal)

  • arg1-arg2 (range)

Examples:

ike.key_exchange_payload_length:>132

8.33.7. ike.nonce_payload

Match against the nonce of the server or client.

Examples:

ike.nonce_payload; content:"|6d026d5616c45be05e5b898411e9|"

ike.nonce_payload is a 'sticky buffer'.

ike.nonce_payload can be used as fast_pattern.

8.33.8. ike.nonce_payload_length

Match against the length of the nonce of the server or client.

ike.nonce_payload_length uses an unsigned 32-bit integer.

This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:

  • > (greater than)

  • < (less than)

  • >= (greater than or equal)

  • <= (less than or equal)

  • arg1-arg2 (range)

Examples:

ike.nonce_payload_length:132
ike.nonce_payload_length:>132

8.33.9. Additional information

More information on the protocol and the data contained in it can be found here: https://tools.ietf.org/html/rfc2409