Cisco Cisco Firepower Management Center 4000
32-92
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The
content
and
pcre
keywords in the second rule match the GIF file download,
flowbits:set,http.gif
sets the
http.gif
flowbit state, and
flowbits:noalert
stops the rule from
generating an event. Note that the
http.jpeg
state set by the first rule fragment is still set even though
it is no longer needed; this is because the JPEG download must have ended if a subsequent GIF download
has been detected.
has been detected.
The third rule fragment is a companion to the first rule fragment:
(msg:"JPEG exploit";
flowbits:isset,http.jpeg;content:"|FF|"; pcre:"
/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/";)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment:
In the third rule fragment,
flowbits:isset,http.jpeg
determines that the now-irrelevant
http.jpeg
state is set, and
content
and
pcre
match content that would be malicious in a JPEG file but not in a GIF
file. The third rule fragment results in a false positive event for a nonexistent exploit in a JPEG file.
flowbits Example for Preventing False Positives
The following example illustrates how including state names in a group and using the
setx
operator can
prevent false positives.
Consider the same case as the previous example, except that the first two rules now include their two
different state names in the same state group.
different state names in the same state group.
(msg:"JPEG transfer"; content:"image/";pcre:"/^Content-
Type\x3a(\s*|\s*\r?\n\s+)image\x2fp?jpe?g/smi";
flowbits:setx,http.jpeg,image_downloads; flowbits:noalert;)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment: