Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1134
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Inspecting ICMP Header Values
L
ICENSE
: Protection
The Sourcefire 3D System supports keywords that you can use to identify attacks
and security policy violations in the headers of ICMP packets. Note, however, that
predefined rules exist that detect most ICMP types and codes. Consider enabling
an existing rule or creating a local rule based on an existing rule; you may be able
to find a rule that meets your needs more quickly than if you build an ICMP rule
from scratch.
See the following sections for more information about ICMP-specific keywords:
See the following sections for more information about ICMP-specific keywords:
•
•
•
Identifying Static ICMP ID and Sequence Values
L
ICENSE
: Protection
The ICMP identification and sequence numbers help associate ICMP replies with
ICMP requests. In normal traffic, these values are dynamically assigned to
packets. Some covert channel and Distributed Denial of Server (DDoS) programs
use static ICMP ID and sequence values. The following keywords allow you to
identify ICMP packets with static values.
icmp_id
The
icmp_id
keyword inspects an ICMP echo request or reply packet's ICMP
ID number. Use a numeric value that corresponds with the ICMP ID number
as the argument for the
icmp_id
keyword.
icmp_seq
The
icmp_seq
keyword inspects an ICMP echo request or reply packet's
ICMP sequence. Use a numeric value that corresponds with the ICMP
sequence number as the argument for the
icmp_seq
keyword.
Inspecting the ICMP Message Type
L
ICENSE
: Protection
Use the
itype
keyword to look for packets with specific ICMP message type
values. You can specify either a valid ICMP type value (see
for a full
list of ICMP type numbers) or an invalid ICMP type value to test for different
types of traffic. For example, attackers may set ICMP type values out of range to
cause denial of service and flooding attacks.
You can specify a range for the
You can specify a range for the
itype
argument value using less than (<) and
greater than (>).