Cisco Cisco FirePOWER Appliance 7020
32-78
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
For example, in a rule searching for the content
foo
, if the value for
isdataat
is specified as the
following:
•
Offset = !10
•
Relative = enabled
The system alerts if the rules engine does not detect 10 bytes after
foo
before the payload ends.
To use isdataat:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
isdataat
in the drop-down list and click
Add Option
.
The
isdataat
section appears.
sameip
License:
Protection
The
sameip
keyword tests that a packet’s source and destination IP addresses are the same. It does not
take an argument.
fragoffset
License:
Protection
Table 32-44
isdataat Arguments
Argument
Type
Description
Offset
Required
The specific location in the payload. For example, to test that data appears
at byte 50 in the packet payload, you would specify
at byte 50 in the packet payload, you would specify
50
as the offset value.
A
!
modifier negates the results of the
isdataat
test; it alerts if a certain
amount of data is not present within the payload.
You can also use an existing
byte_extract
variable to specify the value for
this argument. See
for more information.
Relative
Optional
Makes the location relative to the last successful content match. If you
specify a relative location, note that the counter starts at byte 0, so calculate
the location by subtracting 1 from the number of bytes you want to move
forward from the last successful content match. For example, to specify that
the data must appear at the ninth byte after the last successful content match,
you would specify a relative offset of
specify a relative location, note that the counter starts at byte 0, so calculate
the location by subtracting 1 from the number of bytes you want to move
forward from the last successful content match. For example, to specify that
the data must appear at the ninth byte after the last successful content match,
you would specify a relative offset of
8
.
Raw Data
Optional
Specifies that the data is located in the original packet payload before
decoding or application layer normalization by any FireSIGHT System
preprocessor. You can use this argument with
decoding or application layer normalization by any FireSIGHT System
preprocessor. You can use this argument with
Relative
if the previous content
match was in the raw packet data.