Cisco Cisco FirePOWER Appliance 7010
32-25
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Step 2
Optionally, select
Fast Pattern Matcher Only
to determine without rules engine evaluation if the specified
pattern exists in the packet.
Evaluation will proceed only if the fast pattern matcher detects the specified content.
Step 3
Optionally, specify in
Fast Pattern Matcher Offset and Length
a portion of the pattern to search for the content
using the syntax:
offset,length
where
offset
specifies how many bytes from the beginning of the content to begin the search, and
length
specifies the number of bytes to continue.
Step 4
Continue with creating or editing the rule. See
for more information.
Replacing Content in Inline Deployments
License:
Protection
You can use the
replace
keyword in an inline deployment to replace specified content.
Note
You cannot use the
replace
keyword to replace content in SSL traffic detected by the Cisco SSL
Appliance. The original encrypted data, not the replacement data, will be transmitted. See the Cisco SSL
Appliance Administration and Deployment Guide for more information.
Appliance Administration and Deployment Guide for more information.
To use the
replace
keyword, construct a custom standard text rule that uses the
content
keyword to look
for a specific string. Then use the
replace
keyword to specify a string to replace the content. The replace
value and content value must be the same length.
Optionally, you can enclose the replacement string in quotation marks for backward compatibility with
previous FireSIGHT System software versions. If you do not include quotation marks, they are added to
the rule automatically so the rule is syntactically correct. To include a leading or trailing quotation mark
as part of the replacement text, you must use a backslash to escape it, as shown in the following example:
previous FireSIGHT System software versions. If you do not include quotation marks, they are added to
the rule automatically so the rule is syntactically correct. To include a leading or trailing quotation mark
as part of the replacement text, you must use a backslash to escape it, as shown in the following example:
"replacement text plus \"quotation\" marks""
A rule can contain multiple
replace
keywords, but only one per
content
keyword. Only the first
instance of the content found by the rule is replaced.
The following explain example uses of the
replace
keyword:
•
If the system detects an incoming packet that contains an exploit, you can replace the malicious
string with a harmless one. Sometimes this technique is more successful than simply dropping the
offending packet. In some attack scenarios, the attacker simply resends the dropped packet until it
bypasses your network defenses or floods your network. By substituting one string for another rather
than dropping the packet, you may trick the attacker into believing that the attack was launched
against a target that was not vulnerable.
string with a harmless one. Sometimes this technique is more successful than simply dropping the
offending packet. In some attack scenarios, the attacker simply resends the dropped packet until it
bypasses your network defenses or floods your network. By substituting one string for another rather
than dropping the packet, you may trick the attacker into believing that the attack was launched
against a target that was not vulnerable.
•
If you are concerned about reconnaissance attacks that try to learn whether you are running a
vulnerable version of, for example, a web server, then you can detect the outgoing packet and replace
the banner with your own text.
vulnerable version of, for example, a web server, then you can detect the outgoing packet and replace
the banner with your own text.