Cisco Cisco FirePOWER Appliance 8390
32-49
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The
seq
keyword allows you to specify a static sequence number value. Packets whose sequence number
matches the specified argument trigger the rule containing the keyword. While this keyword is used
rarely, it is helpful in identifying attacks and network scans that use generated packets with static
sequence numbers.
rarely, it is helpful in identifying attacks and network scans that use generated packets with static
sequence numbers.
Identifying TCP Windows of a Given Size
License:
Protection
You can use the
window
keyword to specify the TCP window size you are interested in. A rule containing
this keyword triggers whenever it encounters a packet with the specified TCP window size. While this
keyword is used rarely, it is helpful in identifying attacks and network scans that use generated packets
with static TCP window sizes.
keyword is used rarely, it is helpful in identifying attacks and network scans that use generated packets
with static TCP window sizes.
Identifying TCP Streams of a Given Size
License:
Protection
You can use the
stream_size
keyword in conjunction with the stream preprocessor to determine the size
in bytes of a TCP stream, using the format:
direction,operator,bytes
where
bytes
is number of bytes.
Note that you must separate each option in the argument with a comma (,).
TCP stream preprocessing must be enabled to use the
stream_size
keyword in a rule. See
for more information. When TCP stream preprocessing is disabled
and you enable rules that use this keyword, you are prompted whether to enable TCP stream
preprocessing when you save the policy. See
preprocessing when you save the policy. See
more information.
The following table describes the case-insensitive directional options you can specify for the
stream_size
keyword:
The following table describes the operators you can use with the
stream_size
keyword:
Table 32-30
stream_size Keyword Directional Arguments
Argument
Description
client
triggers on a stream from the client matching the specified stream size.
server
triggers on a stream from the server matching the specified stream size.
both
triggers on traffic from the client and traffic from the server both matching the specified
stream size.
stream size.
For example, the argument
both, >, 200
would trigger when traffic from the client is
greater than 200 bytes AND traffic from the server is greater than 200 bytes.
either
triggers on traffic from either the client or the server matching the specified stream size,
whichever occurs first.
whichever occurs first.
For example, the argument
either, >, 200
would trigger when traffic from the client
is greater than 200 bytes OR traffic from the server is greater than 200 bytes.