Cisco Cisco Firepower Management Center 2000
32-27
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The
byte_jump
keyword calculates the number of bytes defined in a specified byte segment, and then
skips that number of bytes within the packet, either forward from the end of the specified byte segment,
or from the beginning of the packet payload, depending on the options you specify. This is useful in
packets where a specific segment of bytes describe the number of bytes included in variable data within
the packet.
or from the beginning of the packet payload, depending on the options you specify. This is useful in
packets where a specific segment of bytes describe the number of bytes included in variable data within
the packet.
The following table describes the arguments required by the
byte_jump
keyword.
The following table describes options you can use to define how the system interprets the values you
specified for the required arguments.
specified for the required arguments.
You can specify only one of
DCE/RPC
,
Endian
, or
Number Type
.
If you want to define how the
byte_jump
keyword calculates the bytes, you can choose from the
arguments described in the following table (if neither argument is specified, network byte order is used).
Table 32-7
Required byte_jump Arguments
Argument
Description
Bytes
The number of bytes to calculate from the packet.
Offset
The number of bytes into the payload to start processing. The
offset
counter
starts at byte 0, so calculate the
offset
value by subtracting 1 from the
number of bytes you want to jump forward from the beginning of the packet
payload or the last successful content match.
payload or the last successful content match.
You can also use an existing
byte_extract
variable to specify the value for
this argument. See
for more information.
Table 32-8
Additional Optional byte_jump Arguments
Argument
Description
Relative
Makes the offset relative to the last pattern found in the last successful
content match.
content match.
Align
Rounds the number of converted bytes up to the next 32-bit boundary.
Multiplier
Indicates the value by which the rules engine should multiply the byte_jump
value obtained from the packet to get the final byte_jump value.
value obtained from the packet to get the final byte_jump value.
That is, instead of skipping the number of bytes defined in a specified byte
segment, the rules engine skips that number of bytes multiplied by an integer
you specify with the Multiplier argument.
segment, the rules engine skips that number of bytes multiplied by an integer
you specify with the Multiplier argument.
Post Jump Offset
The number of bytes -63535 through 63535 to skip forward or backward
after applying other
after applying other
byte_jump
arguments. A positive value skips forward
and a negative value skips backward. Leave the field blank or enter
0
to
disable.
See the
DCE/RPC
argument in the
table for
byte_jump
arguments that do not apply when you select the
DCE/RPC
argument.
From Beginning
Indicates that the rules engine should skip the specified number of bytes in
the payload starting from the beginning of the packet payload, rather than
from the end of the byte segment that specifies the number of bytes to skip.
the payload starting from the beginning of the packet payload, rather than
from the end of the byte segment that specifies the number of bytes to skip.