Cisco Cisco Firepower Management Center 4000

The 

content

 and 

pcre

 keywords in the second rule match the GIF file download, 

flowbits:set,http.gif

 sets the 

http.gif

 flowbit state, and 

flowbits:noalert

 stops the rule from 

generating an event. Note that the 

http.jpeg

 state set by the first rule fragment is still set even though 

it is no longer needed; this is because the JPEG download must have ended if a subsequent GIF download 
has been detected.

The third rule fragment is a companion to the first rule fragment:

(msg:"JPEG exploit";

 

flowbits:isset,http.jpeg;content:"|FF|"; pcre:"

 

/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/";)

The following diagram illustrates the effect of the 

flowbits

 keyword in the preceding rule fragment:

In the third rule fragment, 

flowbits:isset,http.jpeg

 determines that the now-irrelevant 

http.jpeg

 

state is set, and 

content

 and 

pcre

 match content that would be malicious in a JPEG file but not in a GIF 

file. The third rule fragment results in a false positive event for a nonexistent exploit in a JPEG file.

The following example illustrates how including state names in a group and using the 

setx

 operator can 

prevent false positives. 

Consider the same case as the previous example, except that the first two rules now include their two 
different state names in the same state group.

(msg:"JPEG transfer"; content:"image/";pcre:"/^Content-

 

Type\x3a(\s*|\s*\r?\n\s+)image\x2fp?jpe?g/smi";

 

flowbits:setx,http.jpeg,image_downloads; flowbits:noalert;)

The following diagram illustrates the effect of the 

flowbits

 keyword in the preceding rule fragment: