Cisco Cisco Firepower Management Center 4000

32-16

FireSIGHT System User Guide

Chapter 32 Understanding and Writing Intrusion Rules

Understanding Keywords and Arguments in Rules

Case Insensitive

License:

Protection

You can instruct the rules engine to ignore case when searching for content matches in ASCII strings.
To make your search case-insensitive, check

Case Insensitive

when specifying a content search.

To specify Case Insensitive when doing a content search:

Access:

Admin/Intrusion Admin

Step 1

Select

Case Insensitive

for the

content

keyword you are adding.

Step 2

Continue with creating or editing the rule. See

Constraining Content Matches

Searching for Content

Matches, page 32-14

Writing New Rules, page 32-98

Modifying Existing Rules, page 32-100

for

more information.

Raw Data

License:

Protection

The

Raw Data

option instructs the rules engine to analyze the original packet payload before analyzing

the normalized payload data (data decoded by a FireSIGHT System preprocessor) and does not use an
argument value. You can use this keyword when analyzing telnet traffic to check the telnet negotiation
options in the payload before normalization.

You cannot use the

Raw Data

option together in the same

content

keyword with any HTTP content

option. See

HTTP Content Options, page 32-19

for more information.

Tip

You can configure the HTTP Inspect preprocessor

Client Flow Depth

and

Server Flow Depth

options to

determine whether raw data is inspected in HTTP traffic, and how much raw data is inspected, when the
HTTP Inspect preprocessor is enabled. For more information, see

Selecting Server-Level HTTP

Normalization Options, page 25-33

To analyze raw data:

Access:

Admin/Intrusion Admin

Step 1

Select the

Raw Data

check box for the

content

keyword you are adding.

Step 2