Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco FirePOWER Appliance 7115

Cisco Cisco FirePOWER Appliance 7115

Download
Seite von 2442
Version 5.3
Sourcefire 3D System User Guide
1106
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Optionally, when you select Use Fast Pattern Matcher you can also select Fast 
Pattern Matcher Only or Fast Pattern Matcher Offset and Length, but not both.
You cannot use the fast pattern matcher when inspecting Base64 data; see 
 on page 1208 for more information.
Using the Fast Pattern Matcher Only
The Fast Pattern Matcher Only option allows you to use the 
content
 keyword only 
as a fast pattern matcher option and not as a rule option. You can use this option 
to conserve resources when rules engine evaluation of the specified content is 
not necessary. For example, consider a case where a rule requires only that the 
content 
12345
 be anywhere in the payload. When the fast pattern matcher 
detects the pattern, the packet can be evaluated against additional keywords in 
the rule. There is no need for the rules engine to reevaluate the packet to 
determine if it includes the pattern 
12345
.
You would not use this option when the rule contains other conditions relative to 
the specified content. For example, you would not use this option to search for 
the content 
1234
 if another rule condition sought to determine if 
abcd
 occurs 
before 
1234
. In this case, the rules engine could not determine the relative 
location because specifying Fast Pattern Matcher Only instructs the rules engine not 
to search for the specified content.
Note the following conditions when using this option:
The specified content is location-independent; that is, it may occur 
anywhere in the payload; thus, you cannot use positional options (Distance
WithinOffsetDepth, or Fast Pattern Matcher Offset and Length).
You cannot use this option in combination with Not.
You cannot use this option in combination with Fast Pattern Matcher Offset 
and Length.
The specified content will be treated as case-insensitive, because all 
patterns are inserted into the fast pattern matcher in a case-insensitive 
manner; this is handled automatically, so it is not necessary to select Case 
Insensitive when you select this option.
You should not immediately follow a 
content
 keyword that uses the Fast 
Pattern Matcher Only option with the following keywords, which set the 
search location relative to the current search location:
isdataat
pcre
content
 when Distance or Within is selected
content
 when HTTP URI is selected
asn1
byte_jump
byte_test