Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1108
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Replacing Content in Inline Deployments
L
ICENSE
: Protection
You can use the
replace
keyword in an inline deployment to replace specified
content.
IMPORTANT!
You cannot use the
replace
keyword to replace content in SSL
traffic detected by the Sourcefire SSL Appliance. The original encrypted data, not
the replacement data, will be transmitted. See the Sourcefire SSL Appliance
Administration and Deployment Guide for more information.
To use the
replace
keyword, construct a custom standard text rule that uses the
content
keyword to look for a specific string. Then use the
replace
keyword to
specify a string to replace the content. The replace value and content value must
be the same length.
Optionally, you can enclose the replacement string in quotation marks for
Optionally, you can enclose the replacement string in quotation marks for
backward compatibility with previous Sourcefire 3D System software versions. If
you do not include quotation marks, they are added to the rule automatically so
the rule is syntactically correct. To include a leading or trailing quotation mark as
part of the replacement text, you must use a backslash to escape it, as shown in
the following example:
"replacement text plus \"quotation\" marks""
A rule can contain multiple
replace
keywords, but only one per
content
keyword. Only the first instance of the content found by the rule is replaced.
The following explain example uses of the
The following explain example uses of the
replace
keyword:
•
If the system detects an incoming packet that contains an exploit, you can
replace the malicious string with a harmless one. Sometimes this technique
is more successful than simply dropping the offending packet. In some
attack scenarios, the attacker simply resends the dropped packet until it
bypasses your network defenses or floods your network. By substituting
one string for another rather than dropping the packet, you may trick the
attacker into believing that the attack was launched against a target that was
not vulnerable.
•
If you are concerned about reconnaissance attacks that try to learn whether
you are running a vulnerable version of, for example, a web server, then you
can detect the outgoing packet and replace the banner with your own text.
IMPORTANT!
Make sure that you set the rule state to Generate Events in the
inline intrusion policy where you want to use the replace rule; setting the rule to
Drop and Generate events would cause the packet to drop, which would prevent
replacing the content.