Cisco Cisco Firepower Management Center 4000

Admin/Intrusion Admin

On the Create Rule page, select 

 from the drop-down list and click 

The 

file_data

 keyword appears.

The 

file_data

 keyword has no arguments.

Protection

The 

pkt_data

 keyword provides a pointer that serves as a reference for the positional arguments 

available for other keywords such as 

content

, 

byte_jump

, 

byte_test

, and 

pcre

.

When normalized FTP, telnet, or SMTP traffic is detected, the 

pkt_data

 keyword points to the beginning 

of the normalized packet payload. When other traffic is detected, the 

pkt_data

 keyword points to the 

beginning of the raw TCP or UDP payload.

The following normalization options must be enabled for the system to normalize the corresponding 
traffic for inspection by intrusion rules:

To normalize FTP traffic for inspection, you must enable the FTP and Telnet preprocessor 

 option; see 

To normalize telnet traffic for inspection, you must enable the FTP & Telnet preprocessor 

 

telnet option; see 

.

To normalize SMTP traffic for inspection, you must enable the SMTP preprocessor 

 option; 

see 

.

You can use multiple 

pkt_data

 keywords in a rule.

Admin/Intrusion Admin

On the Create Rule page, select 

 from the drop-down list and click 

The 

pkt_data

 keyword appears.

The 

pkt_data

 keyword has no arguments.

Protection

You can use the 

base64_decode

 and 

base64_data

 keywords in combination to instruct the rules engine 

to decode and inspect specified data as Base64 data. This can be useful, for example, for inspecting 
Base64-encoded HTTP Authentication request headers and Base64-encoded data in HTTP PUT and 
POST requests.