Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1123
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
IMPORTANT!
Do not use the U option in combination with the R option. This
could cause performance problems. Also, do not use the U option in combination
with any other HTTP
content
option ( I, P, H, D, M, C, K, S, or Y).
C
When the HTTP Inspect preprocessor Inspect HTTP Cookies option is enabled, searches for
the normalized content within any cookie in an HTTP request header, and also within any
set-cookie in an HTTP response header when the preprocessor Inspect HTTP Responses
option is enabled. When Inspect HTTP Cookies is not enabled, searches the entire header,
including the cookie or set-cookie data.
Note the following:
• Cookies included in the message body are treated as body content.
Note the following:
• Cookies included in the message body are treated as body content.
• You cannot use this option in combination with the
content
keyword HTTP Cookie option
to search the same content. See
on page 1099 for more
information.
• The
Cookie:
and
Set-Cookie:
header names, leading spaces on the header line, and
the
CRLF
that terminates the header line are inspected as part of the header and not as
part of the cookie.
K
When the HTTP Inspect preprocessor Inspect HTTP Cookies option is enabled, searches for
the raw content within any cookie in an HTTP request header, and also within any
set-cookie in an HTTP response header when the preprocessor Inspect HTTP Responses
option is enabled. When Inspect HTTP Cookies is not enabled, searches the entire header,
including the cookie or set-cookie data.
Note the following:
• Cookies included in the message body are treated as body content.
Note the following:
• Cookies included in the message body are treated as body content.
• You cannot use this option in combination with the
content
keyword HTTP Raw Cookie
option to search the same content. See
on page 1099 for more
information.
• The
Cookie:
and
Set-Cookie:
header names, leading spaces on the header line, and
the
CRLF
that terminates the header line are inspected as part of the header and not as
part of the cookie.
S
Searches the 3-digit status code in an HTTP response. See the
content
keyword HTTP
Status Code option in
on page 1099 for more information.
Y
Searches the textual description that accompanies the status code in an HTTP response.
See the
content
keyword HTTP Status Message option in
page 1099 for more information.
Snort-Specific Post Regular Expression Modifiers (Continued)
O
PTION
D
ESCRIPTION