Cisco Cisco FirePOWER Appliance 8250
32-29
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
the rules engine calculates the number described in the four bytes that appear 13 bytes after the beginning
of the packet. Then, the engine multiplies that number by two to obtain the total number of bytes to skip.
For instance, if the four calculated bytes in a specific packet were
of the packet. Then, the engine multiplies that number by two to obtain the total number of bytes to skip.
For instance, if the four calculated bytes in a specific packet were
00 00 00 1F
, the rules engine would
convert this to 31, then multiply it by two to get 62. Because From Beginning is enabled, the rules engine
skips the first 63 bytes in the packet.
skips the first 63 bytes in the packet.
To use byte_jump:
Access:
Admin/Intrusion Admin
Step 1
Select
byte_jump
in the drop-down list and click
Add Option
.
The byte_jump section appears beneath the last keyword you selected.
byte_test
License:
Protection
The
byte_test
keyword calculates the number of bytes in a specified byte segment and compares them,
according to the operator and value you specify.
The following table describes the required arguments for the
byte_test
keyword.
You can further define how the system uses
byte_test
arguments with the arguments described in the
following table.
Table 32-11
Required byte_test Arguments
Argument
Description
Bytes
The number of bytes to calculate from the packet. You can specify 1 to 10 bytes.
Operator and Value Compares the specified value to <, >, =, !, &, ^, !>, !<, !=, !&, or !^.
For example, if you specify
!1024
,
byte_test
would convert the specified
number, and if it did not equal 1024, it would generate an event (if all other
keyword parameters matched).
keyword parameters matched).
Note that ! and != are equivalent.
You can also use an existing
byte_extract
variable to specify the value for this
argument. See
more information.
Offset
The number of bytes into the payload to start processing. The
offset
counter
starts at byte 0, so calculate the
offset
value by subtracting 1 from the number
of bytes you want to count forward from the beginning of the packet payload or
the last successful content match.
the last successful content match.
You can also use an existing
byte_extract
variable to specify the value for this
argument. See
more information.