Cisco Cisco Firepower Management Center 4000
32-18
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The default offset is 0, meaning the beginning of the packet.
Depth
Specifies the maximum content search depth, in bytes, from the beginning of the offset value, or if
no offset is configured, from the beginning of the packet payload.
no offset is configured, from the beginning of the packet payload.
For example, in a rule with a content value of
cgi-bin/phf
, and
offset
value of
3
, and a
depth
value
of
22
, the rule starts searching for a match to the
cgi-bin/phf
string at byte 3, and stops after
processing 22 bytes (byte 25) in packets that meet the parameters specified by the rule header.
You must specify a value that is greater than or equal to the length of the specified content, up to a
maximum of 65535 bytes. You cannot specify a value of 0.
maximum of 65535 bytes. You cannot specify a value of 0.
The default depth is to search to the end of the packet.
Distance
Instructs the rules engine to identify subsequent content matches that occur a specified number of
bytes after the previous successful content match.
bytes after the previous successful content match.
Because the distance counter starts at byte 0, specify one less than the number of bytes you want to
move forward from the last successful content match. For example, if you specify 4, the search
begins at the fifth byte.
move forward from the last successful content match. For example, if you specify 4, the search
begins at the fifth byte.
You can specify a value of -65535 to 65535 bytes. If you specify a negative
Distance
value, the byte
you start searching on may fall outside the beginning of a packet. Any calculations will take into
account the bytes outside the packet, even though the search actually starts on the first byte in the
packet. For example, if the current location in the packet is the fifth byte, and the next content rule
option specifies a
account the bytes outside the packet, even though the search actually starts on the first byte in the
packet. For example, if the current location in the packet is the fifth byte, and the next content rule
option specifies a
Distance
value of -10 and a
Within
value of 20, the search starts at the beginning
of the payload and the
Within
option is adjusted to 15.
The default distance is 0, meaning the current location in the packet subsequent to the last content
match.
match.
Within
The
Within
option indicates that, to trigger the rule, the next content match must occur within the
specified number of bytes after the end of the last successful content match. For example, if you
specify a
specify a
Within
value of
8
, the next content match must occur within the next eight bytes of the
packet payload or it does not meet the criteria that triggers the rule.
You can specify a value that is greater than or equal to the length of the specified content, up to a
maximum of 65535 bytes.
maximum of 65535 bytes.
The default for
Within
is to search to the end of the packet.
To specify a search location value in the user interface:
Access:
Admin/Intrusion Admin
Step 1
Type the value in the field for the
content
keyword you are adding. You have the following choices:
•
Offset
•
Depth
•
Distance
•
Within
You can use any number of location options in a rule.