Cisco Cisco FirePOWER Appliance 8250
32-60
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The following example rule fragment points to the SIP message body and matches a specific IP address
in the c (connection information) field in extracted SDP data:
in the c (connection information) field in extracted SDP data:
alert udp any any -> any 5060 ( sip_body; content:"c=IN 192.168.12.14"; )
Note that rules are not limited to searching for SDP content. The SIP preprocessor extracts the entire
message body and makes it available to the rules engine.
message body and makes it available to the rules engine.
Note also that the SIP preprocessor must be enabled to allow processing of rules using the
sip_body
keyword. When the SIP preprocessor is disabled and you enable rules that use this keyword, you are
prompted whether to enable the preprocessor when you save the policy. See
prompted whether to enable the preprocessor when you save the policy. See
sip_method
License:
Protection
A method field in each SIP request identifies the purpose of the request. You can use the
sip_method
keyword to test SIP requests for specific methods. Separate multiple methods with commas.
You can specify any of the following currently defined SIP methods:
ack, benotify, bye, cancel, do, info, invite, join, message, notify, options, prack,
publish, quath, refer, register, service, sprack, subscribe, unsubscribe, update
Methods are case-insensitive. You can separate multiple methods with commas.
Because new SIP methods might be defined in the future, you can also specify a custom method, that is,
a method that is not a currently defined SIP method. Accepted field values are defined in RFC 2616,
which allows all characters except control characters and separators such as
a method that is not a currently defined SIP method. Accepted field values are defined in RFC 2616,
which allows all characters except control characters and separators such as
=
,
(
, and
}
. See RFC 2616
for the complete list of excluded separators. When the system encounters a specified custom method in
traffic, it will inspect the packet header but not the message.
traffic, it will inspect the packet header but not the message.
The system supports up to 32 methods, including the 21 currently defined methods and an additional 11
methods. The system ignores any undefined methods that you might configure. Note that the 32 total
methods includes methods specified using the
methods. The system ignores any undefined methods that you might configure. Note that the 32 total
methods includes methods specified using the
Methods to Check
SIP preprocessor option. See
for more information.
You can specify only one method when you use negation. For example:
!invite
Note, however, that multiple
sip_method
keywords in a rule are linked with an
AND
operation. For
example, to test for all extracted methods except
invite
and
cancel
, you would use two negated
sip_method
keywords:
sip_method: !invite
sip_method: !cancel
The SIP preprocessor must be enabled to allow processing of rules using the
sip_method
keyword. When
the SIP preprocessor is disabled and you enable rules that use this keyword, you are prompted whether
to enable the preprocessor when you save the policy. See
to enable the preprocessor when you save the policy. See
Cisco recommends that you include at least one
content
keyword in rules that include the
sip_method
keyword to ensure that the rules engine uses the fast pattern matcher, which increases processing speed
and improves performance. Note that the rules engine uses the fast pattern matcher when a rule includes
at least one
and improves performance. Note that the rules engine uses the fast pattern matcher when a rule includes
at least one
content
keyword, regardless of whether you enable the
content
keyword
Use Fast Pattern
Matcher
argument. See
and
for more information.
sip_stat_code
License:
Protection