Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco FirePOWER Appliance 7115

Cisco Cisco FirePOWER Appliance 7115

Download
Seite von 2442
Version 5.3
Sourcefire 3D System User Guide
1134
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Inspecting ICMP Header Values
L
ICENSE
Protection
The Sourcefire 3D System supports keywords that you can use to identify attacks 
and security policy violations in the headers of ICMP packets. Note, however, that 
predefined rules exist that detect most ICMP types and codes. Consider enabling 
an existing rule or creating a local rule based on an existing rule; you may be able 
to find a rule that meets your needs more quickly than if you build an ICMP rule 
from scratch.
See the following sections for more information about ICMP-specific keywords:
Identifying Static ICMP ID and Sequence Values
L
ICENSE
Protection
The ICMP identification and sequence numbers help associate ICMP replies with 
ICMP requests. In normal traffic, these values are dynamically assigned to 
packets. Some covert channel and Distributed Denial of Server (DDoS) programs 
use static ICMP ID and sequence values. The following keywords allow you to 
identify ICMP packets with static values.
icmp_id 
The 
icmp_id
 keyword inspects an ICMP echo request or reply packet's ICMP 
ID number. Use a numeric value that corresponds with the ICMP ID number 
as the argument for the 
icmp_id
 keyword.
icmp_seq 
The 
icmp_seq
 keyword inspects an ICMP echo request or reply packet's 
ICMP sequence. Use a numeric value that corresponds with the ICMP 
sequence number as the argument for the 
icmp_seq
 keyword.
Inspecting the ICMP Message Type
L
ICENSE
Protection
Use the 
itype
 keyword to look for packets with specific ICMP message type 
values. You can specify either a valid ICMP type value (see 
 or 
for a full 
list of ICMP type numbers) or an invalid ICMP type value to test for different 
types of traffic. For example, attackers may set ICMP type values out of range to 
cause denial of service and flooding attacks.
You can specify a range for the 
itype
 argument value using less than (<) and 
greater than (>).