Cisco Cisco Firepower Management Center 4000

32-10

FireSIGHT System User Guide

Chapter 32 Understanding and Writing Intrusion Rules

Understanding Keywords and Arguments in Rules

•

Searching for Content Matches, page 32-14

describes how to use the

content

keyword to test the

content of the packet payload.

•

Constraining Content Matches, page 32-15

describes how to use modifying keywords for the

content

keyword.

•

Replacing Content in Inline Deployments, page 32-25

describes how to use the

replace

keyword in

inline deployments to replace specified content of equal length.

•

Using Byte_Jump and Byte_Test, page 32-26

describes how to use the

byte_jump

and

byte_test

keywords to calculate where in a packet the rules engine should begin testing for a content match,
and which bytes it should evaluate.

•

Searching for Content Using PCRE, page 32-31

describes how to use the

pcre

keyword to use

Perl-compatible regular expressions in rules.

•

Adding Metadata to a Rule, page 32-37

describes how to use the

metadata

keyword to add

information to a rule.

•

Inspecting IP Header Values, page 32-41

describes the syntax and use of keywords that test values

in the packet’s IP header.

•

Inspecting ICMP Header Values, page 32-44

describes the syntax and use of keywords that test

values in the packet’s ICMP header.

•

Inspecting TCP Header Values and Stream Size, page 32-46

describes the syntax and use of

keywords that test values in the packet’s TCP header.

•

Enabling and Disabling TCP Stream Reassembly, page 32-50

describes how to enable and disable

stream reassembly for a single connection when inspected traffic on the connection matches the
conditions of the rule.

•

Extracting SSL Information from a Session, page 32-51

describes the use and syntax of keywords

that extract version and state information from encrypted traffic.

•

Reading Packet Data into Keyword Arguments, page 32-79

describes how to read a value from a

packet into a variable that you can use later in the same rule to specify the value for arguments in
certain other keywords.

•

Inspecting Application Layer Protocol Values, page 32-53

describes the use and syntax of keywords

that test application layer protocol properties.

•

Inspecting Packet Characteristics, page 32-77

describes the use and syntax of the

dsize

sameIP

isdataat

fragoffset

, and

cvs

keywords.

•

Initiating Active Responses with Rule Keywords, page 32-82

explains how to use the

resp

keyword

to actively close TCP connections or UDP sessions, the

react

keyword to send an HTML page and

then actively close TCP connections, and the

config response

command to specify the active

response interface and the number of TCP resets to attempt in a passive deployment.

•

Filtering Events, page 32-86

describes how to prevent a rule from triggering an event unless a

specified number packets meet the rule’s detection criteria within a specified time.

•

Evaluating Post-Attack Traffic, page 32-87

describes how to log additional traffic for the host or

session.

•

Detecting Attacks That Span Multiple Packets, page 32-88

describes how to assign state names to

packets from attacks that span multiple packets in a single session, then analyze and alert on packets
according to their state.

•

Generating Events on the HTTP Encoding Type and Location, page 32-93

describes how to generate

events on the type of encoding in an HTTP request or response URI, header, or cookie, including
set-cookies, before normalization.