Cisco Cisco Firepower Management Center 4000

32-77

FireSIGHT System User Guide

Chapter 32 Understanding and Writing Intrusion Rules

Understanding Keywords and Arguments in Rules

Inspecting Packet Characteristics

License:

Protection

You can write rules that only generate events against packets with specific packet characteristics. The
FireSIGHT System provides the following keywords to evaluate packet characteristics:

•

dsize, page 32-77

•

isdataat, page 32-77

•

sameip, page 32-78

•

fragoffset, page 32-78

•

cvs, page 32-79

dsize

License:

Protection

The

dsize

keyword tests the packet payload size. With it, you can use the greater than and less than

operators (

and

) to specify a range of values. You can use the following syntax to specify ranges:

>number_of_bytes

<number_of_bytes

number_of_bytes<>number_of_bytes

For example, to indicate a packet size greater than 400 bytes, use

>400

as the

dtype

value. To indicate a

packet size of less than 500 bytes, use

<500

. To specify that the rule trigger against any packet between

400 and 500 bytes inclusive, use

400<>500

Caution

The

dsize

keyword tests packets before they are decoded by any preprocessors.

isdataat

License:

Protection

The

isdataat

keyword instructs the rules engine to verify that data resides at a specific location in the

payload.

The following table lists the arguments you can use with the

isdataat

keyword.