Basic content and protected_content Keyword Arguments
You can constrain the location and case-sensitivity of content
searches with parameters that modify the
content
or
protected_content
keyword. Configure options that
modify the
content
or
protected_content
keyword to specify the content for
which you want to search.
Case Insensitive
Note | This option is
not supported when configuring the
|
You can instruct the rules engine to ignore case when searching for content matches in ASCII strings. To make your search case-insensitive, check Case Insensitive when specifying a content search.
Hash Type
Note | This option is
only configurable with the
|
Use the
Hash Type drop-down to identify the hash function
you used to encode your search string. The system supports SHA-512, SHA-256,
and MD5 hashing for
protected_content
search strings. If the length of your
hashed content does not match the selected hash type, the system does
not save the rule.
The system automatically selects the Cisco-set default value. When Default is selected, no specific hash function is written into the rule and the system assumes SHA-512 for the hash function.
Raw Data
The Raw Data option instructs the rules engine to analyze the original packet payload before analyzing the normalized payload data (decoded by a network analysis policy) and does not use an argument value. You can use this keyword when analyzing telnet traffic to check the telnet negotiation options in the payload before normalization.
You cannot use the
Raw Data option together in the same
content
or
protected_content
keyword with any HTTP content option.
Tip | You can configure the HTTP Inspect preprocessor Client Flow Depth and Server Flow Depth options to determine whether raw data is inspected in HTTP traffic, and how much raw data is inspected. |
Not
Select the
Not option to search for content that does not match
the specified content. If you create a rule that includes a
content
or
protected_content
keyword with the
Not option selected, you must also include in the
rule at least one other
content
or
protected_content
keyword without the
Not option selected.
Caution | Do not create a rule that includes only one
|
For example, SMTP rule 1:2541:9 includes three
content
keywords, one of which has the
Not option selected. A custom rule based on this
rule would be invalid if you removed all of the
content
keywords except the one with the
Not option selected. Adding such a rule to your
intrusion policy could invalidate the policy.
Tip | You cannot select the
Not check box and the
Use Fast Pattern Matcher check box with the same
|