Cisco Cisco FirePOWER Appliance 8390
32-79
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The
fragoffset
keyword tests the offset of a fragmented packet. This is useful because some exploits
(such as WinNuke denial-of-service attacks) use hand-generated packet fragments that have specific
offsets.
offsets.
For example, to test whether the offset of a fragmented packet is 31337 bytes, specify
31337
as the
fragoffset
value.
You can use the following operators when specifying arguments for the
fragoffset
keyword.
Note that you cannot use the not (
!
) operator in combination with
<
or
>
.
cvs
License:
Protection
The
cvs
keyword tests Concurrent Versions System (CVS) traffic for malformed CVS entries. An
attacker can use a malformed entry to force a heap overflow and execute malicious code on the CVS
server. This keyword can be used to identify attacks against two known CVS vulnerabilities:
CVE-2004-0396 (CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7) and CVS-2004-0414 (CVS 1.12.x
through 1.12.8, and 1.11.x through 1.11.16). The
server. This keyword can be used to identify attacks against two known CVS vulnerabilities:
CVE-2004-0396 (CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7) and CVS-2004-0414 (CVS 1.12.x
through 1.12.8, and 1.11.x through 1.11.16). The
cvs
keyword checks for a well-formed entry, and
generates alerts when a malformed entry is detected.
Your rule should include the ports where CVS runs. In addition, any ports where traffic may occur should
be added to the list of ports for stream reassembly in your TCP policies so state can be maintained for
CVS sessions. The TCP ports 2401 (
be added to the list of ports for stream reassembly in your TCP policies so state can be maintained for
CVS sessions. The TCP ports 2401 (
pserver
) and 514 (
rsh
) are included in the list of client ports where
stream reassembly occurs. However, note that if your server runs as an
xinetd
server (i.e., pserver), it
can run on any TCP port. Add any non-standard ports to the stream reassembly
Client Ports
list. For more
information, see
.
To detect malformed CVS entries:
Access:
Admin/Intrusion Admin
Step 1
Add the
cvs
option to a rule and type
invalid-entry
as the keyword argument.
Reading Packet Data into Keyword Arguments
License:
Protection
You can use the
byte_extract
keyword to read a specified number of bytes from a packet into a variable.
You can then use the variable later in the same rule as the value for specific arguments in certain other
detection keywords.
detection keywords.
Table 32-45
fragoffset Keyword Argument Operators
Operator
Description
!
not
>
greater than
<
less than