Cisco Cisco Firepower Management Center 4000
32-80
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
This is useful, for example, for extracting data size from packets where a specific segment of bytes
describes the number of bytes included in data within the packet. For example, a specific segment of
bytes might say that subsequent data is comprised of four bytes; you can extract the data size of four
bytes to use as your variable value.
describes the number of bytes included in data within the packet. For example, a specific segment of
bytes might say that subsequent data is comprised of four bytes; you can extract the data size of four
bytes to use as your variable value.
You can use
byte_extract
to create up to two separate variables in a rule concurrently. You can redefine
a
byte_extract
variable any number of times; entering a new
byte_extract
keyword with the same
variable name and a different variable definition overwrites the previous definition of that variable.
The following table describes the arguments required by the
byte_extract
keyword.
To further define how the system locates the data to extract, you can use the arguments described in the
following table.
following table.
You can specify only one of
DCE/RPC
,
Endian
, or
Number Type
.
To define how the
byte_extract
keyword calculates the bytes it tests, you can choose from the
arguments in the following table. The rules engine uses big endian byte order if you do not select either
argument.
argument.
Table 32-46
Required byte_extract Arguments
Argument
Description
Bytes to Extract
The number of bytes to extract from the packet. You can specify 1, 2, 3, or 4 bytes.
Offset
The number of bytes into the payload to begin extracting data. You can specify
-65534 to 65535 bytes. The offset counter starts at byte 0, so calculate the offset
value by subtracting 1 from the number of bytes you want to count forward. For
example, specify
-65534 to 65535 bytes. The offset counter starts at byte 0, so calculate the offset
value by subtracting 1 from the number of bytes you want to count forward. For
example, specify
7
to count forward 8 bytes. The rules engine counts forward from
the beginning of the packet payload or, if you also specify
Relative
, after the last
successful content match. Note that you can specify negative numbers only when
you also specify
you also specify
Relative
; see the
table for more information.
Variable Name
The variable name to use in arguments for other detection keywords. You can
specify an alphanumeric string that must begin with a letter.
specify an alphanumeric string that must begin with a letter.
Table 32-47
Additional Optional byte_extract Arguments
Argument
Description
Multiplier
A multiplier for the value extracted from the packet. You can specify 0 to 65535.
If you do not specify a multiplier, the default value is 1.
If you do not specify a multiplier, the default value is 1.
Align
Rounds the extracted value to the nearest 2-byte or 4-byte boundary. When you
also select
also select
Multiplier
, the system applies the multiplier before the alignment.
Relative
Makes
Offset
relative to the end of the last successful content match instead of the
beginning of the payload. See the
information.
Table 32-48
Endianness byte_extract Arguments
Argument
Description
Big Endian
Processes data in big endian byte order, which is the default network byte order.