Cisco Cisco Firepower Management Center 4000
32-16
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Case Insensitive
License:
Protection
You can instruct the rules engine to ignore case when searching for content matches in ASCII strings.
To make your search case-insensitive, check
To make your search case-insensitive, check
Case Insensitive
when specifying a content search.
To specify Case Insensitive when doing a content search:
Access:
Admin/Intrusion Admin
Step 1
Select
Case Insensitive
for the
content
keyword you are adding.
Step 2
Continue with creating or editing the rule. See
,
,
more information.
Raw Data
License:
Protection
The
Raw Data
option instructs the rules engine to analyze the original packet payload before analyzing
the normalized payload data (data decoded by a FireSIGHT System preprocessor) and does not use an
argument value. You can use this keyword when analyzing telnet traffic to check the telnet negotiation
options in the payload before normalization.
argument value. You can use this keyword when analyzing telnet traffic to check the telnet negotiation
options in the payload before normalization.
You cannot use the
Raw Data
option together in the same
content
keyword with any HTTP content
option. See
for more information.
Tip
You can configure the HTTP Inspect preprocessor
Client Flow Depth
and
Server Flow Depth
options to
determine whether raw data is inspected in HTTP traffic, and how much raw data is inspected, when the
HTTP Inspect preprocessor is enabled. For more information, see
HTTP Inspect preprocessor is enabled. For more information, see
.
To analyze raw data:
Access:
Admin/Intrusion Admin
Step 1
Select the
Raw Data
check box for the
content
keyword you are adding.
Step 2
Continue with creating or editing the rule. See
,
,
more information.
Not
License:
Protection
Select the
Not
option to search for content that does not match the specified content. If you create a rule
that includes a
content
keyword with the
Not
option selected, you must also include in the rule at least
one other
content
keyword without the
Not
option selected.