Cisco Cisco FirePOWER Appliance 7010
32-22
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
–
The
Cookie:
and
Set-Cookie:
header names, leading spaces on the header line, and the
CRLF
that terminates the header line are inspected as part of the header and not as part of the cookie.
HTTP Client Body
Select this option to search for content matches in the message body in an HTTP client request.
Note that for this option to function, you must specify a value of 0 to 65535 for the HTTP Inspect
preprocessor
preprocessor
HTTP Client Body Extraction Depth
option. See
for more information.
HTTP Status Code
Select this option to search for content matches in the 3-digit status code in an HTTP response.
You must enable the HTTP Inspect preprocessor
Inspect HTTP Responses
option for this option to
return a match. See
information.
HTTP Status Message
Select this option to search for content matches in the textual description that accompanies the status
code in an HTTP response.
code in an HTTP response.
You must enable the HTTP Inspect preprocessor
Inspect HTTP Responses
option for this option to
return a match. See
information.
To specify an HTTP content option when doing a content search of TCP traffic:
Access:
Admin/Intrusion Admin
Step 1
Optionally, to take advantage of HTTP Inspect preprocessor normalization, and to improve performance,
select at least one from among the
select at least one from among the
HTTP URI
,
HTTP Raw URI
,
HTTP Method
,
HTTP Header
,
HTTP Raw Header
, or
HTTP Client Body
options for the
content
keyword you are adding; also, optionally, select the
HTTP Cookie
or
HTTP Raw Cookie
option.
Step 2
Continue with creating or editing the rule. See
for more information.
Use Fast Pattern Matcher
License:
Protection
The fast pattern matcher quickly determines which rules to evaluate before passing a packet to the rules
engine. This initial determination improves performance by significantly reducing the number of rules
used in packet evaluation.
engine. This initial determination improves performance by significantly reducing the number of rules
used in packet evaluation.
By default, the fast pattern matcher searches packets for the longest content specified in a rule; this is to
eliminate as much as possible needless evaluation of a rule. Consider the following example rule
fragment:
eliminate as much as possible needless evaluation of a rule. Consider the following example rule
fragment:
alert tcp any any -> any 80 (msg:"Exploit"; content:"GET";
http_method; nocase; content:"/exploit.cgi"; http_uri;
nocase;)