Cisco Cisco Firepower Management Center 2000
32-19
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Step 2
Continue with creating or editing the rule. See
for more information.
HTTP Content Options
License:
Protection
HTTP
content
keyword options let you specify where to search for content matches within an HTTP
message decoded by the HTTP Inspect preprocessor.
Two options search status fields in HTTP responses:
•
HTTP Status Code
•
HTTP Status Message
Note that although the rules engine searches the raw, unnormalized status fields, these options are listed
here separately to simplify explanation below of the restrictions to consider when combining other raw
HTTP fields and normalized HTTP fields.
here separately to simplify explanation below of the restrictions to consider when combining other raw
HTTP fields and normalized HTTP fields.
Five options search normalized fields in HTTP requests, responses, or both, as appropriate (see
for more information):
•
HTTP URI
•
HTTP Method
•
HTTP Header
•
HTTP Cookie
•
HTTP Client Body
Three options search raw (unnormalized) non-status fields in HTTP requests, responses, or both, as
appropriate (see
appropriate (see
for more information):
•
HTTP Raw URI
•
HTTP Raw Header
•
HTTP Raw Cookie
Use the following guidelines when selecting HTTP
content
options:
•
HTTP
content
options apply only to TCP traffic.
•
To avoid a negative impact on performance, select only those parts of the message where the
specified content might appear.
specified content might appear.
For example, when traffic is likely to include large cookies such as those in shopping cart messages,
you might search for the specified content in the HTTP header but not in HTTP cookies.
you might search for the specified content in the HTTP header but not in HTTP cookies.
•
To improve performance and reduce false positives, ensure that the HTTP Inspect preprocessor is
enabled so HTTP message traffic can be normalized and evaluated against rules that include HTTP
enabled so HTTP message traffic can be normalized and evaluated against rules that include HTTP
content
options.
•
To take advantage of HTTP Inspect preprocessor normalization, and to improve performance, any
HTTP-related rule you create should at a minimum include at least one
HTTP-related rule you create should at a minimum include at least one
content
keyword with an
HTTP URI
,
HTTP Method
,
HTTP Header
, or
HTTP Client Body
option selected.
•
You cannot use the
replace
keyword in conjunction with HTTP
content
keyword options.
You can specify a single normalized HTTP option or status field, or use normalized HTTP options and
status fields in any combination to target a content area to match. However, note the following
restrictions when using HTTP field options:
status fields in any combination to target a content area to match. However, note the following
restrictions when using HTTP field options: