Cisco Cisco Firepower Management Center 4000
32-96
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
To point to the beginning of a specific payload type:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
file_data
from the drop-down list and click
Add Option.
The
file_data
keyword appears.
The
file_data
keyword has no arguments.
Pointing to the Beginning of the Packet Payload
License:
Protection
The
pkt_data
keyword provides a pointer that serves as a reference for the positional arguments
available for other keywords such as
content
,
byte_jump
,
byte_test
, and
pcre
.
When normalized FTP, telnet, or SMTP traffic is detected, the
pkt_data
keyword points to the beginning
of the normalized packet payload. When other traffic is detected, the
pkt_data
keyword points to the
beginning of the raw TCP or UDP payload.
The following normalization options must be enabled for the system to normalize the corresponding
traffic for inspection by intrusion rules:
traffic for inspection by intrusion rules:
•
To normalize FTP traffic for inspection, you must enable the FTP and Telnet preprocessor
Detect
Telnet Escape codes within FTP commands
option; see
•
To normalize telnet traffic for inspection, you must enable the FTP & Telnet preprocessor
Normalize
telnet option; see
.
•
To normalize SMTP traffic for inspection, you must enable the SMTP preprocessor
Normalize
option;
.
You can use multiple
pkt_data
keywords in a rule.
To point to the beginning of the packet payload:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
pkt_data
from the drop-down list and click
Add Option.
The
pkt_data
keyword appears.
The
pkt_data
keyword has no arguments.
Decoding and Inspecting Base64 Data
License:
Protection
You can use the
base64_decode
and
base64_data
keywords in combination to instruct the rules engine
to decode and inspect specified data as Base64 data. This can be useful, for example, for inspecting
Base64-encoded HTTP Authentication request headers and Base64-encoded data in HTTP PUT and
POST requests.
Base64-encoded HTTP Authentication request headers and Base64-encoded data in HTTP PUT and
POST requests.