Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco FirePOWER Appliance 7115

Cisco Cisco FirePOWER Appliance 7115

Download
Seite von 2442
Version 5.3
Sourcefire 3D System User Guide
1108
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Replacing Content in Inline Deployments
L
ICENSE
Protection
You can use the 
replace
 keyword in an inline deployment to replace specified 
content.
IMPORTANT!
You cannot use the 
replace
 keyword to replace content in SSL 
traffic detected by the Sourcefire SSL Appliance. The original encrypted data, not 
the replacement data, will be transmitted. See the Sourcefire SSL Appliance 
Administration and Deployment Guide for more information.
To use the 
replace
 keyword, construct a custom standard text rule that uses the 
content
 keyword to look for a specific string. Then use the 
replace
 keyword to 
specify a string to replace the content. The replace value and content value must 
be the same length.
Optionally, you can enclose the replacement string in quotation marks for 
backward compatibility with previous Sourcefire 3D System software versions. If 
you do not include quotation marks, they are added to the rule automatically so 
the rule is syntactically correct. To include a leading or trailing quotation mark as 
part of the replacement text, you must use a backslash to escape it, as shown in 
the following example:
"replacement text plus \"quotation\" marks""
A rule can contain multiple 
replace
 keywords, but only one per 
content
 
keyword. Only the first instance of the content found by the rule is replaced.
The following explain example uses of the 
replace
 keyword:
If the system detects an incoming packet that contains an exploit, you can 
replace the malicious string with a harmless one. Sometimes this technique 
is more successful than simply dropping the offending packet. In some 
attack scenarios, the attacker simply resends the dropped packet until it 
bypasses your network defenses or floods your network. By substituting 
one string for another rather than dropping the packet, you may trick the 
attacker into believing that the attack was launched against a target that was 
not vulnerable.
If you are concerned about reconnaissance attacks that try to learn whether 
you are running a vulnerable version of, for example, a web server, then you 
can detect the outgoing packet and replace the banner with your own text.
IMPORTANT!
Make sure that you set the rule state to Generate Events in the 
inline intrusion policy where you want to use the replace rule; setting the rule to 
Drop and Generate events would cause the packet to drop, which would prevent 
replacing the content.