Cisco Cisco FirePOWER Appliance 7110
32-10
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
describes how to use the
content
keyword to test the
content of the packet payload.
•
describes how to use modifying keywords for the
content
keyword.
•
describes how to use the
replace
keyword in
inline deployments to replace specified content of equal length.
•
describes how to use the
byte_jump
and
byte_test
keywords to calculate where in a packet the rules engine should begin testing for a content match,
and which bytes it should evaluate.
and which bytes it should evaluate.
•
describes how to use the
pcre
keyword to use
Perl-compatible regular expressions in rules.
•
describes how to use the
metadata
keyword to add
information to a rule.
•
describes the syntax and use of keywords that test values
in the packet’s IP header.
•
describes the syntax and use of keywords that test
values in the packet’s ICMP header.
•
describes the syntax and use of
keywords that test values in the packet’s TCP header.
•
describes how to enable and disable
stream reassembly for a single connection when inspected traffic on the connection matches the
conditions of the rule.
conditions of the rule.
•
describes the use and syntax of keywords
that extract version and state information from encrypted traffic.
•
describes how to read a value from a
packet into a variable that you can use later in the same rule to specify the value for arguments in
certain other keywords.
certain other keywords.
•
that test application layer protocol properties.
•
describes the use and syntax of the
dsize
,
sameIP
,
isdataat
,
fragoffset
, and
cvs
keywords.
•
explains how to use the
resp
keyword
to actively close TCP connections or UDP sessions, the
react
keyword to send an HTML page and
then actively close TCP connections, and the
config response
command to specify the active
response interface and the number of TCP resets to attempt in a passive deployment.
•
describes how to prevent a rule from triggering an event unless a
specified number packets meet the rule’s detection criteria within a specified time.
•
describes how to log additional traffic for the host or
session.
•
describes how to assign state names to
packets from attacks that span multiple packets in a single session, then analyze and alert on packets
according to their state.
according to their state.
•
describes how to generate
events on the type of encoding in an HTTP request or response URI, header, or cookie, including
set-cookies, before normalization.
set-cookies, before normalization.