Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Firepower Management Center 4000

Cisco Cisco Firepower Management Center 4000

Download
Page of 1844
 
32-23
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules
  Understanding Keywords and Arguments in Rules
Almost all HTTP client requests contain the content 
GET
, but few will contain the content 
/exploit.cgi
Using 
GET
 as the fast pattern content would cause the rules engine to evaluate this rule in most cases and 
would rarely result in a match. However, most client 
GET
 requests would not be evaluated using 
/exploit.cgi
, thus increasing performance.
The rules engine evaluates the packet against the rule only when the fast pattern matcher detects the 
specified content. For example, if one 
content
 keyword in a rule specifies the content 
short
, another 
specifies 
longer
, and a third specifies 
longest
, the fast pattern matcher will use the content 
longest
 and 
the rule will be evaluated only if the rules engine finds 
longest
 in the payload.
You can use the 
Use Fast Pattern Matcher
 option to specify a shorter search pattern for the fast pattern 
matcher to use. Ideally, the pattern you specify is less likely to be found in the packet than the longest 
pattern and, therefore, more specifically identifies the targeted exploit.
Note the following restrictions when selecting 
Use Fast Pattern Matcher
 and other options in the same 
content
 keyword:
  •
You can specify 
Use Fast Pattern Matcher
 only one time per rule.
  •
You cannot use 
Distance
Within
Offset
, or 
Depth
 when you select 
Use Fast Pattern Matcher
 in 
combination with 
Not
.
  •
You cannot select Use Fast Pattern Matcher in combination with any of the following HTTP field 
options:
HTTP Raw URI
HTTP Raw Header
HTTP Raw Cookie
HTTP Cookie
HTTP Method
HTTP Status Message
, or 
HTTP Status Code
However, you can include the options above in a 
content
 keyword that also uses the fast pattern 
matcher to search one of the following normalized fields:
HTTP URI
HTTP Header
, or 
HTTP Client Body
For example, if you select 
HTTP Cookie
HTTP Header
, and 
Use Fast Pattern Matcher
, the rules engine 
searches for content in both the HTTP cookie and the HTTP header, but the fast pattern matcher is 
applied only to the HTTP header, not to the HTTP cookie.
Note that you cannot use a raw HTTP field option (
HTTP Raw URI
,
 HTTP Raw Header
, or 
HTTP Raw 
Cookie
) together in the same 
content
 keyword with its normalized counterpart (
HTTP URI
HTTP 
Header
, or 
HTTP Cookie
, respectively). See 
 for more information.
When you combine restricted and unrestricted options, the fast pattern matcher searches only the 
unrestricted fields you specify to test whether to pass the packet to the rules engine for complete 
evaluation, including evaluation of the restricted fields.
  •
Optionally, when you select 
Use Fast Pattern Matcher
 you can also select 
Fast Pattern Matcher Only
 or 
Fast Pattern Matcher Offset and Length
, but not both.
  •
You cannot use the fast pattern matcher when inspecting Base64 data; see 
 for more information.
Using the Fast Pattern Matcher Only
The 
Fast Pattern Matcher Only
 option allows you to use the 
content
 keyword only as a fast pattern matcher 
option and not as a rule option. You can use this option to conserve resources when rules engine 
evaluation of the specified content is not necessary. For example, consider a case where a rule requires 
only that the content 
12345
 be anywhere in the payload. When the fast pattern matcher detects the 
pattern, the packet can be evaluated against additional keywords in the rule. There is no need for the rules 
engine to reevaluate the packet to determine if it includes the pattern 
12345
.