Cisco Cisco Firepower Management Center 4000
32-21
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
HTTP Method
Select this option to search for content matches in the request method field, which identifies the
action such as GET and POST to take on the resource identified in the URI.
action such as GET and POST to take on the resource identified in the URI.
HTTP Header
Select this option to search for content matches in the normalized header field, except for cookies,
in HTTP requests; also in responses when the HTTP Inspect preprocessor
in HTTP requests; also in responses when the HTTP Inspect preprocessor
Inspect HTTP Responses
option is enabled.
Note that you cannot use this option in combination with the
pcre
keyword HTTP header (H) option
to search the same content. See the
table for more
information.
HTTP Raw Header
Select this option to search for content matches in the raw header field, except for cookies, in HTTP
requests; also in responses when the HTTP Inspect preprocessor I
requests; also in responses when the HTTP Inspect preprocessor I
nspect HTTP Responses
option is
enabled.
Note that you cannot use this option in combination with the
pcre
keyword HTTP raw header (D)
option to search the same content. See the
table
for more information.
HTTP Cookie
Select this option to search for content matches in any cookie identified in a normalized HTTP client
request header; also in response set-cookie data when the HTTP Inspect preprocessor
request header; also in response set-cookie data when the HTTP Inspect preprocessor
Inspect HTTP
Responses
option is enabled. Note that the system treats cookies included in the message body as
body content.
You must enable the HTTP Inspect preprocessor
Inspect HTTP Cookies
option to search only the
cookie for a match; otherwise, the rules engine searches the entire header, including the cookie. See
for more information.
Note the following:
–
You cannot use this option in combination with the
pcre
keyword HTTP cookie (C) option to
table for
more information.
–
The
Cookie:
and
Set-Cookie:
header names, leading spaces on the header line, and the
CRLF
that terminates the header line are inspected as part of the header and not as part of the cookie.
HTTP Raw Cookie
Select this option to search for content matches in any cookie identified in a raw HTTP client request
header; also in response set-cookie data when the HTTP Inspect preprocessor
header; also in response set-cookie data when the HTTP Inspect preprocessor
Inspect HTTP Responses
option is enabled; note that the system treats cookies included in the message body as body content.
You must enable the HTTP Inspect preprocessor
Inspect HTTP Cookies
option to search only the
cookie for a match; otherwise, the rules engine searches the entire header, including the cookie. See
for more information.
Note the following:
–
You cannot use this option in combination with the
pcre
keyword HTTP raw cookie (K) option
to search the same content. See the
table for
more information.