Cisco Cisco Firepower Management Center 4000
32-74
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
dnp3_data
You can use the
dnp3_data
keyword to point to the beginning of reassembled DNP3 application layer
fragments.
The DNP3 preprocessor reassembles link layer frames into application layer fragments. The
dnp3_data
keyword points to the beginning of each application layer fragment; other rule options can match against
the reassembled data within fragments without separating the data and adding checksums every 16 bytes.
the reassembled data within fragments without separating the data and adding checksums every 16 bytes.
To point to the beginning of reassembled DNP3 fragments:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
modbus_data
from the drop-down list and click
Add Option.
The
dnp3_data
keyword appears.
The
dnp3_data
keyword has no arguments.
dnp3_func
You can use the
dnp3_func
keyword to match against the Function Code field in a DNP3 application
layer request or response header. You can specify either a single defined decimal value or a single
defined string for a DNP3 function code.
defined string for a DNP3 function code.
The following table lists the defined values and strings recognized by the system for DNP3 function
codes.
codes.
Table 32-43
DNP3 Function Codes
Value
String
0
confirm
1
read
2
write
3
select
4
operate
5
direct_operate
6
direct_operate_nr
7
immed_freeze
8
immed_freeze_nr
9
freeze_clear
10
freeze_clear_nr
11
freeze_at_time
12
freeze_at_time_nr
13
cold_restart
14
warm_restart
15
initialize_data
16
initialize_appl