Cisco Cisco FirePOWER Appliance 7110
32-81
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
You can specify a number type to read data as an ASCII string. To define how the system views string
data in a packet, you can select one of the arguments in the following table.
data in a packet, you can select one of the arguments in the following table.
For example, if the value for
byte_extract
is specified as the following:
•
Bytes to Extract = 4
•
Variable Name = var
•
Offset = 8
•
Relative = enabled
the rules engine reads the number described in the four bytes that appear 9 bytes away from (relative to)
the last successful content match into a variable named
the last successful content match into a variable named
var
, which you can specify later in the rule as
the value for certain keyword arguments.
The following table lists the keyword arguments where you can specify a variable defined in the
byte_extract
keyword.
Little Endian
Processes data in little endian byte order.
DCE/RPC
Specifies a
byte_extract
keyword for traffic processed by the DCE/RPC
preprocessor. See
for more information.
The DCE/RPC preprocessor determines big endian or little endian byte order, and
the
the
Number Type
and
Endian
arguments do not apply.
When you enable this argument, you can also use
byte_extract
in conjunction
with other specific DCE/RPC keywords. See
more information.
The DCE/RPC preprocessor must be enabled to allow processing of rules that
include this option. When the DCE/RPC preprocessor is disabled and you enable
rules that use this option, you are prompted whether to enable the preprocessor
when you save the policy. See
include this option. When the DCE/RPC preprocessor is disabled and you enable
rules that use this option, you are prompted whether to enable the preprocessor
when you save the policy. See
.
Table 32-48
Endianness byte_extract Arguments (continued)
Argument
Description
Table 32-49
Number Type byte_extract arguments
Argument
Description
Hexadecimal String
Reads extracted string data in hexadecimal format.
Decimal String
Reads extracted string data in decimal format.
Octal String
Reads extracted string data in octal format.
Table 32-50
Arguments Accepting a byte_extract Variable
Keyword
Argument
content
Depth, Offset, Distance, Within
See
for more information.
byte_jump
Offset
See
for more information.