Cisco Cisco FirePOWER Appliance 7010
32-50
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
For example, you could use
client, >=, 5001216
as the argument for the
stream_size
keyword to
detect a TCP stream traveling from a client to a server and greater than or equal to 5001216 bytes.
Enabling and Disabling TCP Stream Reassembly
License:
Protection
You can use the
stream_reassemble
keyword to enable or disable TCP stream reassembly for a single
connection when inspected traffic on the connection matches the conditions of the rule. Optionally, you
can use this keyword multiple times in a rule.
can use this keyword multiple times in a rule.
Use the following syntax to enable or disable stream reassembly:
enable|disable, server|client|both, option, option
The following table describes the optional arguments you can use with the
stream_reassemble
keyword.
For example, the following rule disables TCP client-side stream reassembly without generating an event
on the connection where a 200 OK status code is detected in an HTTP response:
on the connection where a 200 OK status code is detected in an HTTP response:
alert tcp any 80 -> any any (flow:to_client, established; content: “200 OK”;
stream_reassemble:disable, client, noalert
Note that the TCP stream preprocessor must be enabled to allow processing of rules using the
stream_reassemble
keyword. When the TCP stream preprocessor is disabled and you enable rules that
use this keyword, you are prompted whether to enable the preprocessor when you save the policy. See
.
To use stream_reassemble:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
stream_reassemble
in the drop-down list and click
Add Option
.
The
stream_reassemble
section appears.
Table 32-31
stream_size Keyword Argument Operators
Operator
Description
=
equal to
!=
not equal to
>
greater than
<
less than
>=
greater than or equal to
<=
less than or equal to
Table 32-32
stream_reassemble Optional Arguments
Argument
Description
noalert
Generate no events regardless of any other detection options specified in the rule.
fastpath
Ignore the rest of the connection traffic when there is a match.