Cisco Cisco Firepower Management Center 4000
32-91
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The next rule fragment looks for a LIST string, but does not generate an event unless the logged_in state
has been set as a result of some previous packet in the session:
has been set as a result of some previous packet in the session:
alert tcp any any -> any 143 (msg:"IMAP LIST";
content:"LIST"; flowbits:isset,logged_in;)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment:
In this case, if a previous packet has caused a rule containing the first fragment to trigger, then a rule
containing the second fragment triggers and generates an event.
containing the second fragment triggers and generates an event.
flowbits Example Resulting in a False Positive
Including different state names that are set in different rules in a group can prevent false positive events
that might otherwise occur when content in a subsequent packet matches a rule whose state is no longer
valid. The following example illustrates how you can get false positives when you do not include
multiple state names in a group.
that might otherwise occur when content in a subsequent packet matches a rule whose state is no longer
valid. The following example illustrates how you can get false positives when you do not include
multiple state names in a group.
Consider the case where the following three rule fragments trigger in the order shown during a single
session:
session:
(msg:"JPEG transfer"; content:"image/";pcre:"/^Content-
Type\x3a(\s*|\s*\r?\n\s+)image\x2fp?jpe?g/smi";
flowbits:set,http.jpeg; flowbits:noalert;)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment:
The
content
and
pcre
keywords in the first rule fragment match a JPEG file download,
flowbits:set,http.jpeg
sets the
http.jpeg
flowbits
state, and
flowbits:noalert
stops the rule from
generating events. No event is generated because the rule’s purpose is to detect the file download and set
the
the
flowbits
state so one or more companion rules can test for the state name in combination with
malicious content and generate events when malicious content is detected.
The next rule fragment detects a GIF file download subsequent to the JPEG file download above:
(msg:"GIF transfer"; content:"image/"; pcre:"/^Content-
Type\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smi";
flowbits:set,http.gif,image_downloads; flowbits:noalert;)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment: