Cisco Cisco Firepower Management Center 4000

Page of 1844
 
32-27
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules
  Understanding Keywords and Arguments in Rules
The 
byte_jump
 keyword calculates the number of bytes defined in a specified byte segment, and then 
skips that number of bytes within the packet, either forward from the end of the specified byte segment, 
or from the beginning of the packet payload, depending on the options you specify. This is useful in 
packets where a specific segment of bytes describe the number of bytes included in variable data within 
the packet.
The following table describes the arguments required by the 
byte_jump
 keyword.
The following table describes options you can use to define how the system interprets the values you 
specified for the required arguments.
You can specify only one of 
DCE/RPC
Endian
, or 
Number Type
.
If you want to define how the 
byte_jump
 keyword calculates the bytes, you can choose from the 
arguments described in the following table (if neither argument is specified, network byte order is used).
Table 32-7
Required byte_jump Arguments 
Argument
Description
Bytes
The number of bytes to calculate from the packet.
Offset
The number of bytes into the payload to start processing. The 
offset
 counter 
starts at byte 0, so calculate the 
offset
 value by subtracting 1 from the 
number of bytes you want to jump forward from the beginning of the packet 
payload or the last successful content match. 
You can also use an existing 
byte_extract
 variable to specify the value for 
this argument. See 
 for more information.
Table 32-8
Additional Optional byte_jump Arguments 
Argument
Description
Relative
Makes the offset relative to the last pattern found in the last successful 
content match.
Align
Rounds the number of converted bytes up to the next 32-bit boundary.
Multiplier
Indicates the value by which the rules engine should multiply the byte_jump 
value obtained from the packet to get the final byte_jump value.
That is, instead of skipping the number of bytes defined in a specified byte 
segment, the rules engine skips that number of bytes multiplied by an integer 
you specify with the Multiplier argument.
Post Jump Offset
The number of bytes -63535 through 63535 to skip forward or backward 
after applying other 
byte_jump
 arguments. A positive value skips forward 
and a negative value skips backward. Leave the field blank or enter 
0
 to 
disable.
See the 
DCE/RPC
 argument in the 
 table for 
byte_jump
 
arguments that do not apply when you select the 
DCE/RPC
 argument.
From Beginning
Indicates that the rules engine should skip the specified number of bytes in 
the payload starting from the beginning of the packet payload, rather than 
from the end of the byte segment that specifies the number of bytes to skip.