Cisco Cisco Firepower Management Center 4000

For example, in a rule searching for the content 

foo

, if the value for 

isdataat

 is specified as the 

following:

Offset = !10

Relative = enabled

The system alerts if the rules engine does not detect 10 bytes after 

foo

 before the payload ends.

Admin/Intrusion Admin

On the Create Rule page, select 

isdataat

 in the drop-down list and click 

.

The 

isdataat

 section appears.

Protection

The 

sameip

 keyword tests that a packet’s source and destination IP addresses are the same. It does not 

take an argument. 

Protection

Offset

Required

The specific location in the payload. For example, to test that data appears 
at byte 50 in the packet payload, you would specify 

50 

as the offset value. 

A 

!

 modifier negates the results of the 

isdataat

 test; it alerts if a certain 

amount of data is not present within the payload.

You can also use an existing 

byte_extract

 variable to specify the value for 

this argument. See 

 for more information.

Relative

Optional

Makes the location relative to the last successful content match. If you 
specify a relative location, note that the counter starts at byte 0, so calculate 
the location by subtracting 1 from the number of bytes you want to move 
forward from the last successful content match. For example, to specify that 
the data must appear at the ninth byte after the last successful content match, 
you would specify a relative offset of 

8

.

Raw Data

Optional

Specifies that the data is located in the original packet payload before 
decoding or application layer normalization by any FireSIGHT System 
preprocessor. You can use this argument with 

 if the previous content 

match was in the raw packet data.