Cisco Cisco Firepower Management Center 4000

You can specify multiple content matches in a single rule. To do this, use additional instances of the 

content

 keyword. For each content match, you can indicate that content matches must be found in the 

packet payload or stream for the rule to trigger.

You should almost always follow a 

content

 keyword by modifiers that indicate where the content should 

be searched for, whether the search is case-sensitive, and other options. See 

 for more information about modifiers to the 

content

 keyword.

Note that all content matches must be true for the rule to trigger an event, that is, each content match has 
an AND relationship with the others.

Note also that, in an inline deployment, you can set up rules that match malicious content and then 
replace it with your own text string of equal length. See 

 for more information.

Admin/Intrusion Admin

In the 

content

 field, type the content you want to find (for example, 

|90C8 C0FF FFFF|/bin/sh

). 

If you want to search for any content that is not the specified content, select the 

 check box. 

You may invalidate your intrusion policy if you create a rule that includes only one 

content

 keyword 

and that keyword has the 

 option selected. For more information, see 

.

Optionally, add additional keywords that modify the 

content

 keyword or add constraints for the 

keyword. For more information on other keywords, see 

. For more information on constraining the 

content

 keyword, see 

.

Continue with creating or editing the rule. See 

 for more information.

Protection

You can constrain the location and case-sensitivity of content searches with parameters that modify the 

content

 keyword. Configure options that modify the 

content

 keyword to specify the content for which 

you want to search.

For more information, see the following sections: