Cisco Cisco FirePOWER Appliance 7020
32-93
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
When the first rule fragment detects a JPEG file download, the
flowbits:setx,http.jpeg,image_downloads
keyword sets the
flowbits
state to
http.jpeg
and
includes the state in the
image_downloads
group.
The next rule then detects a subsequent GIF file download:
(msg:"GIF transfer"; content:"image/"; pcre:"/^Content-
Type\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smi";
flowbits:setx,http.gif,image_downloads; flowbits:noalert;)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment:
When the second rule fragment matches the GIF download, the
flowbits:setx,http.gif,image_downloads
keyword sets the
http.gif
flowbits
state and unsets
http.jpeg
, the other state in the group.
The third rule fragment does not result in a false positive:
(msg:"JPEG exploit";
flowbits:isset,http.jpeg;content:"|FF|"; pcre:"/
\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/";)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment:
Because
flowbits:isset,http.jpeg
is false, the rules engine stops processing the rule and no event is
generated, thus avoiding a false positive even in a case where content in the GIF file matches exploit
content for a JPEG file.
content for a JPEG file.
Generating Events on the HTTP Encoding Type and Location
License:
Protection
You can use the
http_encode
keyword to generate events on the type of encoding in an HTTP request
or response before normalization, either in the HTTP URI, in non-cookie data in an HTTP header, in
cookies in HTTP requests headers, or set-cookie data in HTTP responses.
cookies in HTTP requests headers, or set-cookie data in HTTP responses.
The HTTP Inspect preprocessor must be enabled for rules using the
http_encode
keyword to return
matches. If you enable those rules in an intrusion policy where the HTTP preprocessor is disabled and
try to save the policy, you are prompted whether to allow the system to automatically enable the HTTP
preprocessor. For more information on automatically enabling processors and other advanced intrusion
policy features, see
try to save the policy, you are prompted whether to allow the system to automatically enable the HTTP
preprocessor. For more information on automatically enabling processors and other advanced intrusion
policy features, see