Cisco Cisco Firepower Management Center 4000

the rules engine calculates the number described in the four bytes that appear 9 bytes away from (relative 
to) the last successful content match, and, if the calculated number is larger than 128 bytes, the rule is 
triggered. 

Admin/Intrusion Admin

On the Create Rule page, select 

byte_test

 in the drop-down list and click 

.

The 

byte_test

 section appears beneath the last keyword you selected.

Protection

The 

pcre

 keyword allows you to use Perl-compatible regular expressions (PCRE) to inspect packet 

payloads for specified content. You can use PCRE to avoid writing multiple rules to match slight 
variations of the same content. 

Regular expressions are useful when searching for content that could be displayed in a variety of ways. 
The content may have different attributes that you want to account for in your attempt to locate it within 
a packet’s payload.

Note that the regular expression syntax used in intrusion rules is a subset of the full regular expression 
library and varies in some ways from the syntax used in commands in the full library. When adding a 

pcre

 keyword using the rule editor, enter the full value in the following format:

!/pcre/ ismxAEGRBUIPHDMCKSY

where:

! is an optional negation (use this if you want to match patterns that do not match the regular 
expression).

/pcre/

 is a Perl-compatible regular expression.

ismxAEGRBUIPHDMCKSY

 is any combination of modifier options.

Also note that you must escape the characters listed in the following table for the rules engine to interpret 
them correctly when you use them in a PCRE to search for specific content in a packet payload.

# (hash mark)

\#

\x23

; (semicolon)

\;

\x3B

| (vertical bar)

\|

\x7C

: (colon)

\:

\x3A