Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1122
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
the preprocessor when you save the policy. See
.
Snort-Specific Post Regular Expression Modifiers
O
PTION
D
ESCRIPTION
R
Searches for matching content relative to the end of the last match found by the rules
engine.
B
Searches for the content within data before it is decoded by a preprocessor (this option is
similar to using the
Raw Data
argument with the
content
keyword).
U
Searches for the content within the URI of a normalized HTTP request message decoded
by the HTTP Inspect preprocessor. Note that you cannot use this option in combination
with the
content
on page 1099 for more information.
IMPORTANT!
A pipelined HTTP request packet contains multiple URIs. A PCRE expression
that includes the U option causes the rules engine to search for a content match only in the
first URI in a pipelined HTTP request packet. To search all URIs in the packet, use the
content
keyword with HTTP URI selected, either with or without an accompanying PCRE
expression that uses the U option.
I
Searches for the content within the URI of a raw HTTP request message decoded by the
HTTP Inspect preprocessor. Note that you cannot use this option in combination with the
content
keyword HTTP Raw URI option to search the same content. See
on page 1099 for more information.
P
Searches for the content within the body of a normalized HTTP request message decoded
by the HTTP Inspect preprocessor. See the
content
keyword HTTP Client Body option in
on page 1099 for more information.
H
Searches for the content within the header, excluding cookies, of an HTTP request or
response message decoded by the HTTP Inspect preprocessor. Note that you cannot use
this option in combination with the
content
keyword HTTP Header option to search the
same content. See
on page 1099 for more information.
D
Searches for the content within the header, excluding cookies, of a raw HTTP request or
response message decoded by the HTTP Inspect preprocessor. Note that you cannot use
this option in combination with the
content
keyword HTTP Raw Header option to search the
same content. See
on page 1099 for more information.
M
Searches for the content within the method field of a normalized HTTP request message
decoded by the HTTP Inspect preprocessor; the method field identifies the action such as
GET, PUT, CONNECT, and so on to take on the resource identified in the URI. See the
content
keyword HTTP Method option in
on page 1099 for more
information.