Cisco Cisco FirePOWER Appliance 8130
32-37
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
EZBoard.cgi
•
ezman.cgi
•
ezadmin.cgi
•
EZAdmin.cgi
This example would not match:
•
ezez.cgi
•
fez.cgi
•
abcezboard.cgi
•
ezboardman.cgi
•
/mail(file|seek)\.cgi/U
This example searches packet payload for
mail
, followed by either
file
or
seek
, in URI data.
This example would match:
•
mailfile.cgi
•
mailseek.cgi
This example would not match:
•
MailFile.cgi
•
mailfilefile.cgi
•
m?http\\x3a\x2f\x2f.*(\n|\t)+?U
This example searches packet payload for URI content for a tab or newline character in an HTTP
request, after any number of characters. This example uses
request, after any number of characters. This example uses
m?regex?
to avoid using
http\:\/\/
in
the expression. Note that the colon is preceded by a backslash.
This example would match:
•
http://www.example.com?scriptvar=x&othervar=\n\..\..
•
http://www.example.com?scriptvar=\t
This example would not match:
•
ftp://ftp.example.com?scriptvar=&othervar=\n\..\..
•
http://www.example.com?scriptvar=|/bin/sh -i|
•
m?http\\x3a\x2f\x2f.*=\|.*\|+?sU
This example searches packet payload for a URL with any number of characters, including newlines,
followed by an equal sign, and pipe characters that contain any number of characters or white space.
This example uses
followed by an equal sign, and pipe characters that contain any number of characters or white space.
This example uses
m?regex?
to avoid using
http\:\/\/
in the expression.
This example would match:
•
http://www.example.com?value=|/bin/sh/ -i|
•
http://www.example.com?input=|cat /etc/passwd|
This example would not match:
•
ftp://ftp.example.com?value=|/bin/sh/ -i|
•
http://www.example.com?value=x&input?|cat /etc/passwd|
•
/[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}/i
This example searches packet payload for any MAC address. Note that it escapes the colon
characters with backslashes.
characters with backslashes.
Adding Metadata to a Rule
License:
Protection