Cisco Cisco Firepower Management Center 2000
32-28
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Define how the system views string data in a packet by using one of the arguments in the following table.
For example, if the values you set for
byte_jump
are as follows:
•
Bytes = 4
•
Offset = 12
•
Relative enabled
•
Align enabled
the rules engine calculates the number described in the four bytes that appear 13 bytes after the last
successful content match, and skips ahead that number of bytes in the packet. For instance, if the four
calculated bytes in a specific packet were
successful content match, and skips ahead that number of bytes in the packet. For instance, if the four
calculated bytes in a specific packet were
00 00 00 1F
, the rules engine would convert this to 31. Because
align
is specified (which instructs the engine to move to the next 32-bit boundary), the rules engine
skips ahead 32 bytes in the packet.
Alternately, if the values you set for
byte_jump
are as follows:
•
Bytes = 4
•
Offset = 12
•
From Beginning enabled
•
Multiplier = 2
Table 32-9
Endianness Arguments
Argument
Description
Big Endian
Processes data in big endian byte order, which is the default network byte
order.
order.
Little Endian
Processes data in little endian byte order.
DCE/RPC
Specifies a
byte_jump
keyword for traffic processed by the DCE/RPC
preprocessor. See
information.
The DCE/RPC preprocessor determines big endian or little endian byte order,
and the
and the
Number Type
,
Endian
, and
From Beginning
arguments do not apply.
When you enable this argument, you can also use
byte_jump
in conjunction
with other specific DCE/RPC keywords. See
for more information.
The DCE/RPC preprocessor must be enabled to allow processing of rules that
include this option. When the DCE/RPC preprocessor is disabled and you
enable rules that use this option, you are prompted whether to enable the
preprocessor when you save the policy. See
include this option. When the DCE/RPC preprocessor is disabled and you
enable rules that use this option, you are prompted whether to enable the
preprocessor when you save the policy. See
.
Table 32-10
Number Type Arguments
Argument
Description
Hexadecimal String
Represents converted string data in hexadecimal format.
Decimal String
Represents converted string data in decimal format.
Octal String
Represents converted string data in octal format.