Cisco Cisco Firepower Management Center 4000

Page of 1844
 
32-26
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules 
  Understanding Keywords and Arguments in Rules
Note
Make sure that you set the rule state to Generate Events in the inline intrusion policy where you want to 
use the replace rule; setting the rule to Drop and Generate events would cause the packet to drop, which 
would prevent replacing the content.
As part of the string replacement process, the system automatically updates the packet checksums so that 
the destination host can receive the packet without error.
Note that you cannot use the 
replace
 keyword in combination with HTTP request message 
content
 
keyword options. See 
 an
 for more information.
To replace content in an inline deployment:
Access: 
Admin/Intrusion Admin
Step 1
On the Create Rule page, select 
content
 in the drop-down list and click 
Add Option.
The 
content
 keyword appears.
Step 2
Specify the content you want to detect in the 
content
 field and, optionally, select any applicable 
arguments. Note that you cannot use the HTTP request message 
content
 keyword options with the 
replace
 keyword.
Step 3
Select 
replace
 in the drop-down list and click 
Add Option.
The 
replace
 keyword appears beneath the 
content
 keyword.
Step 4
Specify the replacement string for the specified content in the 
replace:
 field.
Using Byte_Jump and Byte_Test
License: 
Protection
You can use 
byte_jump
 and 
byte_test
 to calculate where in a packet the rules engine should begin 
testing for a data match, and which bytes it should evaluate.
You can also use the 
byte_jump
 and 
byte_test
 
DCE/RPC
 argument to tailor either keyword for traffic 
processed by the DCE/RPC preprocessor. When you use the 
DCE/RPC
 argument, you can also use 
byte_jump
 and 
byte_test
 in conjunction with other specific DCE/RPC keywords. See 
 and 
 for more information.
See the following sections for more information:
  •
  •
byte_jump 
License: 
Protection