Cisco Cisco Firepower Management Center 4000
32-59
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Note that the DCE/RPC preprocessor must be enabled to allow processing of rules using the
dce_stub_data
keyword. When the DCE/RPC preprocessor is disabled and you enable rules that use this
keyword, you are prompted whether to enable the preprocessor when you save the policy. See
.
DCE/RPC stub data provides the interface between a client procedure call and the DCE/RPC run-time
system, the mechanism that provides the routines and services central to DCE/RPC. DCE/RPC exploits
are identified in the stub data portion of the DCE/RPC packet. Because stub data is associated with a
specific operation or function call, you should always precede
system, the mechanism that provides the routines and services central to DCE/RPC. DCE/RPC exploits
are identified in the stub data portion of the DCE/RPC packet. Because stub data is associated with a
specific operation or function call, you should always precede
dce_stub_data
with
dce_iface
and
dce_opnum
to identify the related service and operation.
The
dce_stub_data
keyword has no arguments. See
and
for more information.
SIP Keywords
License:
Protection
Four SIP keywords allow you to monitor SIP session traffic for exploits.
Note that the SIP protocol is vulnerable to denial of service (DoS) attacks. Rules addressing these attacks
can benefit from rate-based attack prevention. See
can benefit from rate-based attack prevention. See
for more information.
See the following sections for more information:
•
•
•
•
sip_header
License:
Protection
You can use the
sip_header
keyword to start inspection at the beginning of the extracted SIP request or
response header and restrict inspection to header fields.
The
sip_header
keyword has no arguments. See
for more information.
The following example rule fragment points to the SIP header and matches the CSeq header field:
alert udp any any -> any 5060 ( sip_header; content:"CSeq"; )
Note that the SIP preprocessor must be enabled to allow processing of rules using the
sip_header
keyword. When the SIP preprocessor is disabled and you enable rules that use this keyword, you are
prompted whether to enable the preprocessor when you save the policy. See
prompted whether to enable the preprocessor when you save the policy. See
sip_body
License:
Protection
You can use the
sip_body
keyword to start inspection at the beginning of the extracted SIP request or
response message body and restrict inspection to the message body.
The
sip_body
keyword has no arguments.