Cisco Cisco FirePOWER Appliance 7020
32-95
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
Encoding Location
:
HTTP URI
•
Encoding Type
:
uencode
The example configuration searches the HTTP URI for UTF-8 AND Microsoft IIS %u encoding.
Pointing to a Specific Payload Type
License:
Protection
The
file_data
keyword provides a pointer that serves as a reference for the positional arguments
available for other keywords such as
content
,
byte_jump
,
byte_test
, and
pcre
. The detected traffic
determines the type of data the
file_data
keyword points to. You can use the
file_data
keyword to
point to the beginning of the following payload types:
•
HTTP response body
To inspect HTTP response packets, the HTTP Inspect preprocessor must be enabled and you must
configure the preprocessor to inspect HTTP responses. See
configure the preprocessor to inspect HTTP responses. See
and
Inspect HTTP Responses
for more
information. The
file_data
keyword matches if the HTTP Inspect preprocessor detects HTTP
response body data.
•
Uncompressed gzip file data
To inspect uncompressed gzip files in the HTTP response body, the HTTP Inspect preprocessor must
be enabled and you must configure the preprocessor to inspect HTTP responses and to decompress
gzip-compressed files in the HTTP response body. For more information, see
be enabled and you must configure the preprocessor to inspect HTTP responses and to decompress
gzip-compressed files in the HTTP response body. For more information, see
, and the
Inspect HTTP Responses
and
Inspect Compressed Data
options in
. The
file_data
keyword matches if the
HTTP Inspect preprocessor detects uncompressed gzip data in the HTTP response body.
•
Normalized Javascript
To inspect normalized Javascript data, the HTTP Inspect preprocessor must be enabled and you must
configure the preprocessor to inspect HTTP responses. See
configure the preprocessor to inspect HTTP responses. See
and
Inspect HTTP Responses
for more
information. The
file_data
keyword matches if the HTTP Inspect preprocessor detects Javascript
in response body data.
•
SMTP payload
To inspect the SMTP payload, the SMTP preprocessor must be enabled. See
for more information. The
file_data
keyword matches if the SMTP
preprocessor detects SMTP data.
•
Encoded email attachments in SMTP, POP, or IMAP traffic
To inspect email attachments in SMTP, POP, or IMAP traffic, the SMTP, POP, or IMAP
preprocessor, respectively, must be enabled, alone or in any combination. Then, for each enabled
preprocessor, you must ensure that the preprocessor is configured to decode each attachment
encoding type that you want decoded. The attachment decoding options that you can configure for
each preprocessor are:
preprocessor, respectively, must be enabled, alone or in any combination. Then, for each enabled
preprocessor, you must ensure that the preprocessor is configured to decode each attachment
encoding type that you want decoded. The attachment decoding options that you can configure for
each preprocessor are:
Base64 Decoding Depth
,
7-Bit/8-Bit/Binary Decoding Depth
,
Quoted-Printable
Decoding Depth
, and
Unix-to-Unix Decoding Depth
. See
for more information.
You can use multiple
file_data
keywords in a rule.