Cisco Cisco Firepower Management Center 4000
32-24
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
You would not use this option when the rule contains other conditions relative to the specified content.
For example, you would not use this option to search for the content
For example, you would not use this option to search for the content
1234
if another rule condition sought
to determine if
abcd
occurs before
1234
. In this case, the rules engine could not determine the relative
location because specifying
Fast Pattern Matcher Only
instructs the rules engine not to search for the
specified content.
Note the following conditions when using this option:
•
The specified content is location-independent; that is, it may occur anywhere in the payload; thus,
you cannot use positional options (
you cannot use positional options (
Distance
,
Within
,
Offset
,
Depth
, or
Fast Pattern Matcher Offset and
Length
).
•
You cannot use this option in combination with
Not
.
•
You cannot use this option in combination with
Fast Pattern Matcher Offset and Length
.
•
The specified content will be treated as case-insensitive, because all patterns are inserted into the
fast pattern matcher in a case-insensitive manner; this is handled automatically, so it is not necessary
to select
fast pattern matcher in a case-insensitive manner; this is handled automatically, so it is not necessary
to select
Case Insensitive
when you select this option.
•
You should not immediately follow a
content
keyword that uses the
Fast Pattern Matcher Only
option
with the following keywords, which set the search location relative to the current search location:
•
isdataat
•
pcre
•
content
when
Distance
or
Within
is selected
•
content
when
HTTP URI
is selected
•
asn1
•
byte_jump
•
byte_test
•
byte_extract
•
base64_decode
Specifying Fast Pattern Matcher Offset and Length
The
Fast Pattern Matcher Offset and Length
option allows you to specify a portion of the content to search.
This can reduce memory consumption in cases where the pattern is very long and only a portion of the
pattern is sufficient to identify the rule as a likely match. When a rule is selected by the fast pattern
matcher, the entire pattern is evaluated against the rule.
pattern is sufficient to identify the rule as a likely match. When a rule is selected by the fast pattern
matcher, the entire pattern is evaluated against the rule.
You determine the portion for the fast pattern matcher to use by specifying in bytes where to begin the
search (offset) and how far into the content (length) to search, using the syntax:
search (offset) and how far into the content (length) to search, using the syntax:
offset,length
For example, for the content:
1234567
if you specify the number of offset and length bytes as:
1,5
the fast pattern matcher searches only for the content
23456
.
Note that you cannot use this option together with
Fast Pattern Matcher Only
.
To specify the content searched for by the fast pattern matcher:
Access:
Admin/Intrusion Admin
Step 1
Select
Use Fast Pattern Matcher
for the
content
keyword you are adding.