Cisco Cisco Firepower Management Center 4000
32-94
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
You must also configure the preprocessor to inspect HTTP responses and HTTP cookies to return
matches for these. See
matches for these. See
and
for more information.
Also, you must enable both the decoding and alerting option for each specific encoding type in your
HTTP Inspect preprocessor configuration for the
HTTP Inspect preprocessor configuration for the
http_encode
keyword in an intrusion rule to trigger
events on that encoding type. See
for more information.
Note that the base36 encoding type has been deprecated. For backward compatibility, the base36
argument is allowed in existing rules, but it does not cause the rules engine to inspect base36 traffic.
argument is allowed in existing rules, but it does not cause the rules engine to inspect base36 traffic.
The following table describes the encoding types this option can generate events for in HTTP URIs,
headers, cookies, and set-cookies:
headers, cookies, and set-cookies:
To identify the HTTP encoding type and location in an intrusion rule:
Access:
Admin/Intrusion Admin
Step 1
Add the
http_encode
keyword to a rule.
Step 2
From the
Encoding Location
drop-down list, select whether to search for the specified encoding type in an
HTTP URI, header, or cookie, including a set-cookie.
Step 3
Specify one or more encoding types using one of the following formats:
encode_type
encode_type|encode_type|encode_type...
!encode_type
where
encode_type
is one of the following:
utf8, double_encode, non_ascii, uencode, bare_byte
Note that you cannot use the negation (
!
) and OR (
|
) operators together.
Step 4
Optionally, add multiple
http_encode
keywords to the same rule to AND the conditions for each. For
example, enter two keywords with the following conditions:
First
http_encode
keyword:
•
Encoding Location
:
HTTP UR
I
•
Encoding Type
:
utf8
Additional
http_encode
keyword:
Table 32-57
http_encode Encoding Types
Encoding Type
Description
utf8
Detects UTF-8 encoding in the specified location when this encoding type is
enabled for decoding by the HTTP Inspect preprocessor.
enabled for decoding by the HTTP Inspect preprocessor.
double_encode
Detects double encoding in the specified location when this encoding type is
enabled for decoding by the HTTP Inspect preprocessor.
enabled for decoding by the HTTP Inspect preprocessor.
non_ascii
Detects non-ascii characters in the specified location when non-ASCII
characters are detected but the detected encoding type is not enabled.
characters are detected but the detected encoding type is not enabled.
uencode
Detects Microsoft %u encoding in the specified location when this encoding
type is enabled for decoding by the HTTP Inspect preprocessor.
type is enabled for decoding by the HTTP Inspect preprocessor.
bare_byte
Detects bare byte encoding in the specified location when this encoding type
is enabled for decoding by the HTTP Inspect preprocessor.
is enabled for decoding by the HTTP Inspect preprocessor.