Cisco Cisco FirePOWER Appliance 8360
32-97
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
These keywords are particularly useful for decoding and inspecting Base64 data in HTTP requests.
However, you can also use them with any protocol such as SMTP that uses the space and tab characters
the same way HTTP uses these characters to extend a lengthy header line over multiple lines. When this
line extension, which is known as folding, is not present in a protocol that uses it, inspection ends at any
carriage return or line feed that is not followed with a space or tab.
However, you can also use them with any protocol such as SMTP that uses the space and tab characters
the same way HTTP uses these characters to extend a lengthy header line over multiple lines. When this
line extension, which is known as folding, is not present in a protocol that uses it, inspection ends at any
carriage return or line feed that is not followed with a space or tab.
See the following sections for more information:
•
•
base64_decode
License:
Protection
The
base64_decode
keyword instructs the rules engine to decode packet data as Base64 data. Optional
arguments let you specify the number of bytes to decode and where in the data to begin decoding.
You can use the
base64_decode
keyword once in a rule; it must precede at least one instance of the
base64_data
keyword. See
for more information.
Before decoding Base64 data, the rules engine unfolds lengthy headers that are folded across multiple
lines. Decoding ends when the rules engine encounters any the following:
lines. Decoding ends when the rules engine encounters any the following:
•
the end of a header line
•
the specified number of bytes to decode
•
the end of the packet
The following table describes the arguments you can use with the
base64_decode
keyword.
To decode Base64 data:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
base64_decode
from the drop-down list and click
Add Option.
The
base64_decode
keyword appears.
Step 2
Optionally, select any of the arguments described in the
table.
Table 32-58
Optional base64_decode Arguments
Argument
Description
Bytes
Specifies the number of bytes to decode. When not specified, decoding continues to
the end of a header line or the end of the packet payload, whichever comes first. You
can specify a positive, non-zero value.
the end of a header line or the end of the packet payload, whichever comes first. You
can specify a positive, non-zero value.
Offset
Determines the offset relative to the start of the packet payload or, when you also
specify
specify
Relative
, relative to the current inspection location. You can specify a positive,
non-zero value.
Relative
Specifies inspection relative to the current inspection location.