Cisco Cisco Firepower Management Center 4000

Page of 1844
 
32-22
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules 
  Understanding Keywords and Arguments in Rules
  –
The 
Cookie:
 and 
Set-Cookie:
 header names, leading spaces on the header line, and the 
CRLF
 
that terminates the header line are inspected as part of the header and not as part of the cookie.
HTTP Client Body
Select this option to search for content matches in the message body in an HTTP client request.
Note that for this option to function, you must specify a value of 0 to 65535 for the HTTP Inspect 
preprocessor 
HTTP Client Body Extraction Depth
 option. See 
 for more information.
HTTP Status Code
Select this option to search for content matches in the 3-digit status code in an HTTP response.
You must enable the HTTP Inspect preprocessor 
Inspect HTTP Responses
 option for this option to 
return a match. See 
information.
HTTP Status Message
Select this option to search for content matches in the textual description that accompanies the status 
code in an HTTP response.
You must enable the HTTP Inspect preprocessor 
Inspect HTTP Responses
 option for this option to 
return a match. See 
information.
To specify an HTTP content option when doing a content search of TCP traffic: 
Access: 
Admin/Intrusion Admin
Step 1
Optionally, to take advantage of HTTP Inspect preprocessor normalization, and to improve performance, 
select at least one from among the 
HTTP URI
HTTP Raw URI
HTTP Method
HTTP Header
HTTP Raw Header
, or 
HTTP Client Body
 options for the 
content
 keyword you are adding; also, optionally, select the 
HTTP Cookie
 
or 
HTTP Raw Cookie 
option.
Step 2
Continue with creating or editing the rule. See 
 for more information.
Use Fast Pattern Matcher
License: 
Protection
The fast pattern matcher quickly determines which rules to evaluate before passing a packet to the rules 
engine. This initial determination improves performance by significantly reducing the number of rules 
used in packet evaluation.
By default, the fast pattern matcher searches packets for the longest content specified in a rule; this is to 
eliminate as much as possible needless evaluation of a rule. Consider the following example rule 
fragment:
alert tcp any any -> any 80 (msg:"Exploit"; content:"GET";
 
http_method; nocase; content:"/exploit.cgi"; http_uri;
 
nocase;)