Firepower IPS Snort Rules
SRU is cumulative
Note.
Content !!search for bytes in payload, payload starts after L4 header.
can be text or binary within the pipe ("|") character
Depth: !!how many bytes need be searched in the payload for the content.
Offset: !!Search starting point (from the beginning of the payload) for the content.
Within: !!After match 1st content, only search # bytes for 2nd content.
Distance: !!After the previous pattern match, ignore # bytes then search another pattern match
Reference:
https://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#depth
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00457000000000000000
=======Create Firepower Custom IPS Rule==========
# Copy from the existing rule
# Import a rule
# Create a new rule
Add a content can match http info, for example
match HTTP Method, HTTP header, HTTP URI
=====================
https://www.rapid7.com/blog/post/2016/12/09/understanding-and-configuring-snort-rules/
Snort 3
https://dependencyhell.net/2021/snort-3-deep-dive-the-future-of-cisco-firepower
Comments
Post a Comment