Cisco Cisco Firepower Management Center 4000

Protection

The 

base64_data

 keyword provides a reference for inspecting Base64 data decoded using the 

base64_decode

 keyword. The 

base64_data

 keyword sets inspection to begin at the start of the decoded 

Base64 data. Optionally, you can then use the positional arguments available for other keywords such as 

content

 or 

byte_test

 to further specify the location to inspect.

You must use the

 base64_data

 keyword at least once after using the 

base64_decode

 keyword; 

optionally, you can use 

base64_data

 multiple times to return to the beginning of the decoded Base64 

data.

Note the following when inspecting Base64 data:

You cannot use the fast pattern matcher; see 

 for more 

information.

If you interrupt Base64 inspection in a rule with an intervening HTTP content argument, you must 
insert another 

base64_data 

keyword in the rule before further inspecting Base64 data; see 

 for more information.

Admin/Intrusion Admin

On the Create Rule page, select 

 from the drop-down list and click 

The 

base64_data

 keyword appears.

Protection

Just as you can create your own custom standard text rules, you can also modify existing standard text 
rules and shared object rule provided by Cisco and save your changes as a new rule. Note that for shared 
object rules provided by Cisco, you are limited to modifying rule header information such as the source 
and destination ports and IP addresses. You cannot modify the rule keywords and arguments in a shared 
object rule.

See the following sections for more information:

Protection

You can create your own standard text rules.