Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1107
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
•
byte_extract
•
base64_decode
Specifying Fast Pattern Matcher Offset and Length
The Fast Pattern Matcher Offset and Length option allows you to specify a portion of
the content to search. This can reduce memory consumption in cases where the
pattern is very long and only a portion of the pattern is sufficient to identify the
rule as a likely match. When a rule is selected by the fast pattern matcher, the
entire pattern is evaluated against the rule.
You determine the portion for the fast pattern matcher to use by specifying in
You determine the portion for the fast pattern matcher to use by specifying in
bytes where to begin the search (offset) and how far into the content (length) to
search, using the syntax:
offset
,
length
For example, for the content:
1234567
if you specify the number of offset and length bytes as:
1,5
the fast pattern matcher searches only for the content
23456
.
Note that you cannot use this option together with Fast Pattern Matcher Only.
To specify the content searched for by the fast pattern matcher:
A
CCESS
: Admin/Intrusion Admin
1. Select Use Fast Pattern Matcher for the
content
keyword you are adding.
2. Optionally, select Fast Pattern Matcher Only to determine without rules engine
evaluation if the specified pattern exists in the packet.
Evaluation will proceed only if the fast pattern matcher detects the specified
Evaluation will proceed only if the fast pattern matcher detects the specified
content.
3. Optionally, specify in Fast Pattern Matcher Offset and Length a portion of the
pattern to search for the content using the syntax:
offset
,
length
where
offset
specifies how many bytes from the beginning of the content
to begin the search, and
length
specifies the number of bytes to continue.
4. Continue with creating or editing the rule. See
on page 1214 for more
information.