Cisco Cisco Firepower Management Center 4000
32-98
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Constructing a Rule
base64_data
License:
Protection
The
base64_data
keyword provides a reference for inspecting Base64 data decoded using the
base64_decode
keyword. The
base64_data
keyword sets inspection to begin at the start of the decoded
Base64 data. Optionally, you can then use the positional arguments available for other keywords such as
content
or
byte_test
to further specify the location to inspect.
You must use the
base64_data
keyword at least once after using the
base64_decode
keyword;
optionally, you can use
base64_data
multiple times to return to the beginning of the decoded Base64
data.
Note the following when inspecting Base64 data:
•
You cannot use the fast pattern matcher; see
for more
information.
•
If you interrupt Base64 inspection in a rule with an intervening HTTP content argument, you must
insert another
insert another
base64_data
keyword in the rule before further inspecting Base64 data; see
for more information.
To inspect decoded Base64 data:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
base64_data
from the drop-down list and click
Add Option.
The
base64_data
keyword appears.
Constructing a Rule
License:
Protection
Just as you can create your own custom standard text rules, you can also modify existing standard text
rules and shared object rule provided by Cisco and save your changes as a new rule. Note that for shared
object rules provided by Cisco, you are limited to modifying rule header information such as the source
and destination ports and IP addresses. You cannot modify the rule keywords and arguments in a shared
object rule.
rules and shared object rule provided by Cisco and save your changes as a new rule. Note that for shared
object rules provided by Cisco, you are limited to modifying rule header information such as the source
and destination ports and IP addresses. You cannot modify the rule keywords and arguments in a shared
object rule.
See the following sections for more information:
•
•
•
•
Writing New Rules
License:
Protection
You can create your own standard text rules.