Cisco Cisco Firepower Management Center 4000
32-23
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Almost all HTTP client requests contain the content
GET
, but few will contain the content
/exploit.cgi
.
Using
GET
as the fast pattern content would cause the rules engine to evaluate this rule in most cases and
would rarely result in a match. However, most client
GET
requests would not be evaluated using
/exploit.cgi
, thus increasing performance.
The rules engine evaluates the packet against the rule only when the fast pattern matcher detects the
specified content. For example, if one
specified content. For example, if one
content
keyword in a rule specifies the content
short
, another
specifies
longer
, and a third specifies
longest
, the fast pattern matcher will use the content
longest
and
the rule will be evaluated only if the rules engine finds
longest
in the payload.
You can use the
Use Fast Pattern Matcher
option to specify a shorter search pattern for the fast pattern
matcher to use. Ideally, the pattern you specify is less likely to be found in the packet than the longest
pattern and, therefore, more specifically identifies the targeted exploit.
pattern and, therefore, more specifically identifies the targeted exploit.
Note the following restrictions when selecting
Use Fast Pattern Matcher
and other options in the same
content
keyword:
•
You can specify
Use Fast Pattern Matcher
only one time per rule.
•
You cannot use
Distance
,
Within
,
Offset
, or
Depth
when you select
Use Fast Pattern Matcher
in
combination with
Not
.
•
You cannot select Use Fast Pattern Matcher in combination with any of the following HTTP field
options:
options:
HTTP Raw URI
,
HTTP Raw Header
,
HTTP Raw Cookie
,
HTTP Cookie
,
HTTP Method
,
HTTP Status Message
, or
HTTP Status Code
However, you can include the options above in a
content
keyword that also uses the fast pattern
matcher to search one of the following normalized fields:
HTTP URI
,
HTTP Header
, or
HTTP Client Body
For example, if you select
HTTP Cookie
,
HTTP Header
, and
Use Fast Pattern Matcher
, the rules engine
searches for content in both the HTTP cookie and the HTTP header, but the fast pattern matcher is
applied only to the HTTP header, not to the HTTP cookie.
applied only to the HTTP header, not to the HTTP cookie.
Note that you cannot use a raw HTTP field option (
HTTP Raw URI
,
HTTP Raw Header
, or
HTTP Raw
Cookie
) together in the same
content
keyword with its normalized counterpart (
HTTP URI
,
HTTP
Header
, or
HTTP Cookie
, respectively). See
for more information.
When you combine restricted and unrestricted options, the fast pattern matcher searches only the
unrestricted fields you specify to test whether to pass the packet to the rules engine for complete
evaluation, including evaluation of the restricted fields.
unrestricted fields you specify to test whether to pass the packet to the rules engine for complete
evaluation, including evaluation of the restricted fields.
•
Optionally, when you select
Use Fast Pattern Matcher
you can also select
Fast Pattern Matcher Only
or
Fast Pattern Matcher Offset and Length
, but not both.
•
You cannot use the fast pattern matcher when inspecting Base64 data; see
for more information.
Using the Fast Pattern Matcher Only
The
Fast Pattern Matcher Only
option allows you to use the
content
keyword only as a fast pattern matcher
option and not as a rule option. You can use this option to conserve resources when rules engine
evaluation of the specified content is not necessary. For example, consider a case where a rule requires
only that the content
evaluation of the specified content is not necessary. For example, consider a case where a rule requires
only that the content
12345
be anywhere in the payload. When the fast pattern matcher detects the
pattern, the packet can be evaluated against additional keywords in the rule. There is no need for the rules
engine to reevaluate the packet to determine if it includes the pattern
engine to reevaluate the packet to determine if it includes the pattern
12345
.