Cisco Cisco Firepower Management Center 4000
32-26
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Note
Make sure that you set the rule state to Generate Events in the inline intrusion policy where you want to
use the replace rule; setting the rule to Drop and Generate events would cause the packet to drop, which
would prevent replacing the content.
use the replace rule; setting the rule to Drop and Generate events would cause the packet to drop, which
would prevent replacing the content.
As part of the string replacement process, the system automatically updates the packet checksums so that
the destination host can receive the packet without error.
the destination host can receive the packet without error.
Note that you cannot use the
replace
keyword in combination with HTTP request message
content
keyword options. See
and
for more information.
To replace content in an inline deployment:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
content
in the drop-down list and click
Add Option.
The
content
keyword appears.
Step 2
Specify the content you want to detect in the
content
field and, optionally, select any applicable
arguments. Note that you cannot use the HTTP request message
content
keyword options with the
replace
keyword.
Step 3
Select
replace
in the drop-down list and click
Add Option.
The
replace
keyword appears beneath the
content
keyword.
Step 4
Specify the replacement string for the specified content in the
replace:
field.
Using Byte_Jump and Byte_Test
License:
Protection
You can use
byte_jump
and
byte_test
to calculate where in a packet the rules engine should begin
testing for a data match, and which bytes it should evaluate.
You can also use the
byte_jump
and
byte_test
DCE/RPC
argument to tailor either keyword for traffic
processed by the DCE/RPC preprocessor. When you use the
DCE/RPC
argument, you can also use
byte_jump
and
byte_test
in conjunction with other specific DCE/RPC keywords. See
and
for more information.
See the following sections for more information:
•
•
byte_jump
License:
Protection