Cisco Cisco Firepower Management Center 4000

the rules engine calculates the number described in the four bytes that appear 13 bytes after the beginning 
of the packet. Then, the engine multiplies that number by two to obtain the total number of bytes to skip. 
For instance, if the four calculated bytes in a specific packet were 

00 00 00 1F

, the rules engine would 

convert this to 31, then multiply it by two to get 62. Because From Beginning is enabled, the rules engine 
skips the first 63 bytes in the packet.

Admin/Intrusion Admin

Select 

byte_jump

 in the drop-down list and click 

. 

The byte_jump section appears beneath the last keyword you selected.

Protection

The 

byte_test

 keyword calculates the number of bytes in a specified byte segment and compares them, 

according to the operator and value you specify.

The following table describes the required arguments for the 

byte_test

 keyword.

You can further define how the system uses 

byte_test

 arguments with the arguments described in the 

following table.

Bytes

The number of bytes to calculate from the packet. You can specify 1 to 10 bytes.

Operator and Value Compares the specified value to <, >, =, !, &, ^, !>, !<, !=, !&, or !^. 

For example, if you specify 

!1024

, 

byte_test

 would convert the specified 

number, and if it did not equal 1024, it would generate an event (if all other 
keyword parameters matched).

Note that ! and != are equivalent.

You can also use an existing 

byte_extract

 variable to specify the value for this 

argument. See 

more information.

Offset

The number of bytes into the payload to start processing. The 

offset

 counter 

starts at byte 0, so calculate the 

offset

 value by subtracting 1 from the number 

of bytes you want to count forward from the beginning of the packet payload or 
the last successful content match. 

You can also use an existing 

byte_extract

 variable to specify the value for this 

argument. See 

more information.