Cisco Cisco FirePOWER Appliance 7030
32-77
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Inspecting Packet Characteristics
License:
Protection
You can write rules that only generate events against packets with specific packet characteristics. The
FireSIGHT System provides the following keywords to evaluate packet characteristics:
FireSIGHT System provides the following keywords to evaluate packet characteristics:
•
•
•
•
•
dsize
License:
Protection
The
dsize
keyword tests the packet payload size. With it, you can use the greater than and less than
operators (
<
and
>
) to specify a range of values. You can use the following syntax to specify ranges:
>number_of_bytes
<number_of_bytes
number_of_bytes<>number_of_bytes
For example, to indicate a packet size greater than 400 bytes, use
>400
as the
dtype
value. To indicate a
packet size of less than 500 bytes, use
<500
. To specify that the rule trigger against any packet between
400 and 500 bytes inclusive, use
400<>500
.
Caution
The
dsize
keyword tests packets before they are decoded by any preprocessors.
isdataat
License:
Protection
The
isdataat
keyword instructs the rules engine to verify that data resides at a specific location in the
payload.
The following table lists the arguments you can use with the
isdataat
keyword.