Cisco Cisco Firepower Management Center 2000
32-55
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Note the following when using the
urilen
keyword in a rule:
•
In practice, you always use the
urilen
keyword in combination with the
flow:established
keyword and one or more other keywords.
•
TCP stream preprocessing must be enabled. See
for
more information.
•
The HTTP preprocessor must be enabled to allow processing of rules using the
urilen
keyword.
When the HTTP preprocessor is disabled and you enable rules that use this keyword, you are
prompted whether to enable the preprocessor when you save the policy. See
prompted whether to enable the preprocessor when you save the policy. See
•
The rule protocol is always TCP. See
for more information.
•
Target ports are always HTTP ports. See
and
for more information.
You specify the URI length using a decimal number of bytes, less than (<) and greater than (>).
For example:
•
specify
5
to detect a URI 5 bytes long.
•
specify
< 5
(separated by one space character) to detect a URI less than 5 bytes long.
•
specify
> 5
(separated by one space character) to detect a URI greater than 5 bytes long.
•
specify
3 <> 5
(with one space character before and after
<>
) to detect a URI between 3 and 5 bytes
long inclusive.
For example, there is a known vulnerability in Novell’s server monitoring and diagnostics utility
iMonitor version 2.4, which comes with eDirectory version 8.8. A packet containing an excessively long
URI creates a buffer overflow, allowing an attacker to exploit the condition with a specially crafted
packet that could execute on the host with system-level privileges or could cause a DoS condition. The
following rule uses the
iMonitor version 2.4, which comes with eDirectory version 8.8. A packet containing an excessively long
URI creates a buffer overflow, allowing an attacker to exploit the condition with a specially crafted
packet that could execute on the host with system-level privileges or could cause a DoS condition. The
following rule uses the
urilen
keyword to detect attempts to exploit this vulnerability:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"EXPLOIT eDirectory 8.8 Long URI iMonitor buffer
overflow attempt";flow:to_server,established;
urilen:> 8192; uricontent:"/nds/"; nocase;
classtype:attempted-admin; sid:x; rev:1;)
The above rule generates an event against TCP traffic traveling from any IP address defined in the
$EXTERNAL_NET variable, from any port, to any IP address defined in the $HOME_NET variable
using the ports defined in the $HTTP_PORTS variable. In addition, packets are evaluated against the rule
only on established TCP connections to servers. The rule uses the
$EXTERNAL_NET variable, from any port, to any IP address defined in the $HOME_NET variable
using the ports defined in the $HTTP_PORTS variable. In addition, packets are evaluated against the rule
only on established TCP connections to servers. The rule uses the
urilen
keyword to detect any URI
over 8192 bytes in length. Finally, the rule searches the URI for the specific case-insensitive content
/nds/
.
DCE/RPC Keywords
License:
Protection
The three DCE/RPC keywords described in the following table allow you to monitor DCE/RPC session
traffic for exploits. When the system processes rules with these keywords, it invokes the DCE/RPC
preprocessor. See
traffic for exploits. When the system processes rules with these keywords, it invokes the DCE/RPC
preprocessor. See
for more information.
The DCE/RPC preprocessor must be enabled to allow processing of rules that include these keywords.
When the DCE/RPC preprocessor is disabled and you enable rules that use these keywords, you are
prompted whether to enable the preprocessor when you save the policy. See
When the DCE/RPC preprocessor is disabled and you enable rules that use these keywords, you are
prompted whether to enable the preprocessor when you save the policy. See