Cisco Cisco Firepower Management Center 4000

You can specify a number type to read data as an ASCII string. To define how the system views string 
data in a packet, you can select one of the arguments in the following table.

For example, if the value for 

byte_extract

 is specified as the following:

Bytes to Extract = 4

Variable Name = var

Offset = 8

Relative = enabled

the rules engine reads the number described in the four bytes that appear 9 bytes away from (relative to) 
the last successful content match into a variable named 

var

, which you can specify later in the rule as 

the value for certain keyword arguments.

The following table lists the keyword arguments where you can specify a variable defined in the 

byte_extract

 keyword.

Little Endian

Processes data in little endian byte order.

DCE/RPC

Specifies a 

byte_extract

 keyword for traffic processed by the DCE/RPC 

preprocessor. See 

 for more information.

The DCE/RPC preprocessor determines big endian or little endian byte order, and 
the 

 and 

 arguments do not apply.

When you enable this argument, you can also use 

byte_extract

 in conjunction 

with other specific DCE/RPC keywords. See 

more information.

The DCE/RPC preprocessor must be enabled to allow processing of rules that 
include this option. When the DCE/RPC preprocessor is disabled and you enable 
rules that use this option, you are prompted whether to enable the preprocessor 
when you save the policy. See 

.

Hexadecimal String

Reads extracted string data in hexadecimal format.

Decimal String

Reads extracted string data in decimal format.

Octal String

Reads extracted string data in octal format.

content

Depth, Offset, Distance, Within

See 

 for more information.

byte_jump

Offset

See 

 for more information.