Cisco Cisco Firepower Management Center 4000
32-20
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
You cannot use the
Raw Data
option together in the same
content
keyword with any HTTP option.
•
You cannot use a raw HTTP field option (
HTTP Raw URI
,
HTTP Raw Header
, or
HTTP Raw Cookie
)
together in the same
content
keyword with its normalized counterpart (
HTTP URI
,
HTTP Header
, or
HTTP Cookie
, respectively).
•
You cannot select
Use Fast Pattern Matcher
in combination with one or more of the following HTTP
field options:
HTTP Raw URI
,
HTTP Raw Header
,
HTTP Raw Cookie
,
HTTP Cookie
,
HTTP Method
,
HTTP Status Message
, or
HTTP Status Code
However, you can include the options above in a
content
keyword that also uses the fast pattern
matcher to search one of the following normalized fields:
HTTP URI
,
HTTP Header
, or
HTTP Client Body
For example, if you select
HTTP Cookie
,
HTTP Header
, and
Use Fast Pattern Matcher
, the rules engine
searches for content in both the HTTP cookie and the HTTP header, but the fast pattern matcher is
applied only to the HTTP header, not to the HTTP cookie.
applied only to the HTTP header, not to the HTTP cookie.
•
When you combine restricted and unrestricted options, the fast pattern matcher searches only the
unrestricted fields you specify to test whether to pass the rule to the rule editor for complete
evaluation, including evaluation of the restricted fields. See
unrestricted fields you specify to test whether to pass the rule to the rule editor for complete
evaluation, including evaluation of the restricted fields. See
for more information.
The above restrictions are reflected in the description of each option in the following list describing the
HTTP
HTTP
content
keyword options.
Note that the HTTP preprocessor must be enabled to allow processing of rules using any of these
content
keyword options. When the HTTP preprocessor is disabled and you enable rules that use any
of these keywords, you are prompted whether to enable the preprocessor when you save the policy. See
.
The following list describes the HTTP
content
keyword options.
HTTP URI
Select this option to search for content matches in the normalized request URI field.
Note that you cannot use this option in combination with the
pcre
keyword HTTP URI (U) option
to search the same content. See the
table for more
information.
Note
A pipelined HTTP request packet contains multiple URIs. When
HTTP URI
is selected and the
rules engine detects a pipelined HTTP request packet, the rules engine searches all URIs in the
packet for a content match.
packet for a content match.
HTTP Raw URI
Select this option to search for content matches in the normalized request URI field.
Note that you cannot use this option in combination with the
pcre
keyword HTTP URI (U) option
to search the same content. See the
table for more
information.
Note
A pipelined HTTP request packet contains multiple URIs. When
HTTP URI
is selected and the
rules engine detects a pipelined HTTP request packet, the rules engine searches all URIs in the
packet for a content match.
packet for a content match.