Cisco Cisco FirePOWER Appliance 7030
32-31
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
the rules engine calculates the number described in the four bytes that appear 9 bytes away from (relative
to) the last successful content match, and, if the calculated number is larger than 128 bytes, the rule is
triggered.
to) the last successful content match, and, if the calculated number is larger than 128 bytes, the rule is
triggered.
To use byte_test:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
byte_test
in the drop-down list and click
Add Option
.
The
byte_test
section appears beneath the last keyword you selected.
Searching for Content Using PCRE
License:
Protection
The
pcre
keyword allows you to use Perl-compatible regular expressions (PCRE) to inspect packet
payloads for specified content. You can use PCRE to avoid writing multiple rules to match slight
variations of the same content.
variations of the same content.
Regular expressions are useful when searching for content that could be displayed in a variety of ways.
The content may have different attributes that you want to account for in your attempt to locate it within
a packet’s payload.
The content may have different attributes that you want to account for in your attempt to locate it within
a packet’s payload.
Note that the regular expression syntax used in intrusion rules is a subset of the full regular expression
library and varies in some ways from the syntax used in commands in the full library. When adding a
library and varies in some ways from the syntax used in commands in the full library. When adding a
pcre
keyword using the rule editor, enter the full value in the following format:
!/pcre/ ismxAEGRBUIPHDMCKSY
where:
•
! is an optional negation (use this if you want to match patterns that do not match the regular
expression).
expression).
•
/pcre/
is a Perl-compatible regular expression.
•
ismxAEGRBUIPHDMCKSY
is any combination of modifier options.
Also note that you must escape the characters listed in the following table for the rules engine to interpret
them correctly when you use them in a PCRE to search for specific content in a packet payload.
them correctly when you use them in a PCRE to search for specific content in a packet payload.
Table 32-15
Escaped PCRE Characters
You must escape...
with a backslash... or Hex code...
# (hash mark)
\#
\x23
; (semicolon)
\;
\x3B
| (vertical bar)
\|
\x7C
: (colon)
\:
\x3A