Cisco Cisco Firepower Management Center 4000

32-17

FireSIGHT System User Guide

Chapter 32 Understanding and Writing Intrusion Rules

Understanding Keywords and Arguments in Rules

Caution

Do not create a rule that includes only one

content

keyword if that keyword has the

Not

option selected.

You may invalidate your intrusion policy. For more information, see

Configuring Intrusion Policies,

page 20-1

For example, SMTP rule 1:2541:9 includes three

content

keywords, one of which has the

Not

option

selected. A custom rule based on this rule would be invalid if you removed all of the

content

keywords

except the one with the

Not

option selected. Adding such a rule to your intrusion policy could invalidate

the policy.

To search for content that does not match the specified content:

Access:

Admin/Intrusion Admin

Step 1

Select the

Not

check box for the

content

keyword you are adding.

Tip

You cannot select the

Not

check box and the

Use Fast Pattern Matcher

check box with the same

content

keyword.

Step 2

Include in the rule at least one other

content

keyword that does not have the

Not

option selected.

Step 3

Continue with creating or editing the rule. See

Constraining Content Matches

Searching for Content

Matches, page 32-14

Writing New Rules, page 32-98

, or

Modifying Existing Rules, page 32-100

for

more information.

Search Location Options

License:

Protection

You can use either of two

content

location pairs to specify where to begin searching for the specified

content and how far to continue searching, as follows:

•

Use

Offset

and

Depth

together to search relative to the beginning of the packet payload.

•

Use

Distance

and

Within

together to search relative to the current search location.

When you specify only one of a pair, the default for the other option in the pair is assumed.

You cannot mix the

Offset

and

Depth

options with the

Distance

and

Within

options. For example, you cannot

pair

Offset

and

Within

. You can use any number of location options in a rule.

When no location is specified, the defaults for

Offset

and

Depth

are assumed; that is, the content search

starts at the beginning of the packet payload and continues to the end of the packet.

You can also use an existing

byte_extract

variable to specify the value for a location option. See

Reading Packet Data into Keyword Arguments, page 32-79

for more information.

Offset

Specifies in bytes where in the packet payload to start searching for content relative to the beginning
of the packet payload. You can specify a value of-65535 to 65535 bytes.

Because the offset counter starts at byte 0, specify one less than the number of bytes you want to
move forward from the beginning of the packet payload. For example, if you specify 7, the search
begins at the eighth byte.