Cisco Cisco FirePOWER Appliance 8360
32-35
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
.
Table 32-20
Snort-Specific Post Regular Expression Modifiers
Option
Description
R
Searches for matching content relative to the end of the last match found by the rules engine.
B
Searches for the content within data before it is decoded by a preprocessor (this option is similar to using the
Raw
Data
argument with the
content
keyword).
U
Searches for the content within the URI of a normalized HTTP request message decoded by the HTTP Inspect
preprocessor. Note that you cannot use this option in combination with the
preprocessor. Note that you cannot use this option in combination with the
content
keyword
HTTP URI
option to
search the same content. See
for more information.
Note
A pipelined HTTP request packet contains multiple URIs. A PCRE expression that includes the U option
causes the rules engine to search for a content match only in the first URI in a pipelined HTTP request
packet. To search all URIs in the packet, use the
causes the rules engine to search for a content match only in the first URI in a pipelined HTTP request
packet. To search all URIs in the packet, use the
content
keyword with
HTTP URI
selected, either with or
without an accompanying PCRE expression that uses the U option.
I
Searches for the content within the URI of a raw HTTP request message decoded by the HTTP Inspect
preprocessor. Note that you cannot use this option in combination with the
preprocessor. Note that you cannot use this option in combination with the
content
keyword
HTTP Raw URI
option
to search the same content. See
for more information.
P
Searches for the content within the body of a normalized HTTP request message decoded by the HTTP Inspect
preprocessor. See the
preprocessor. See the
content
keyword
HTTP Client Body
option in
for more
information.
H
Searches for the content within the header, excluding cookies, of an HTTP request or response message decoded
by the HTTP Inspect preprocessor. Note that you cannot use this option in combination with the
by the HTTP Inspect preprocessor. Note that you cannot use this option in combination with the
content
keyword
HTTP Header
option to search the same content. See
for more information.
D
Searches for the content within the header, excluding cookies, of a raw HTTP request or response message
decoded by the HTTP Inspect preprocessor. Note that you cannot use this option in combination with the
decoded by the HTTP Inspect preprocessor. Note that you cannot use this option in combination with the
content
keyword
HTTP Raw Header
option to search the same content. See
for more
information.
M
Searches for the content within the method field of a normalized HTTP request message decoded by the HTTP
Inspect preprocessor; the method field identifies the action such as GET, PUT, CONNECT, and so on to take on
the resource identified in the URI. See the
Inspect preprocessor; the method field identifies the action such as GET, PUT, CONNECT, and so on to take on
the resource identified in the URI. See the
content
keyword
HTTP Method
option in
for more information.
C
When the HTTP Inspect preprocessor
Inspect HTTP Cookies
option is enabled, searches for the normalized content
within any cookie in an HTTP request header, and also within any set-cookie in an HTTP response header when
the preprocessor
the preprocessor
Inspect HTTP Responses
option is enabled. When
Inspect HTTP Cookies
is not enabled, searches the
entire header, including the cookie or set-cookie data.
Note the following:
•
Cookies included in the message body are treated as body content.
•
You cannot use this option in combination with the
content
keyword
HTTP Cookie
option to search the same
for more information.
•
The
Cookie:
and
Set-Cookie:
header names, leading spaces on the header line, and the
CRLF
that terminates
the header line are inspected as part of the header and not as part of the cookie.