Cisco Cisco FirePOWER Appliance 8390
32-15
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
You can specify multiple content matches in a single rule. To do this, use additional instances of the
content
keyword. For each content match, you can indicate that content matches must be found in the
packet payload or stream for the rule to trigger.
You should almost always follow a
content
keyword by modifiers that indicate where the content should
be searched for, whether the search is case-sensitive, and other options. See
for more information about modifiers to the
content
keyword.
Note that all content matches must be true for the rule to trigger an event, that is, each content match has
an AND relationship with the others.
an AND relationship with the others.
Note also that, in an inline deployment, you can set up rules that match malicious content and then
replace it with your own text string of equal length. See
replace it with your own text string of equal length. See
for more information.
To enter content to be matched:
Access:
Admin/Intrusion Admin
Step 1
In the
content
field, type the content you want to find (for example,
|90C8 C0FF FFFF|/bin/sh
).
If you want to search for any content that is not the specified content, select the
Not
check box.
Caution
You may invalidate your intrusion policy if you create a rule that includes only one
content
keyword
and that keyword has the
Not
option selected. For more information, see
.
Step 2
Optionally, add additional keywords that modify the
content
keyword or add constraints for the
keyword. For more information on other keywords, see
. For more information on constraining the
content
keyword, see
.
Step 3
Continue with creating or editing the rule. See
for more information.
Constraining Content Matches
License:
Protection
You can constrain the location and case-sensitivity of content searches with parameters that modify the
content
keyword. Configure options that modify the
content
keyword to specify the content for which
you want to search.
For more information, see the following sections:
•
•
•
•
•
•