Cisco Cisco Firepower Management Center 4000
21-10
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
License:
Protection
You can filter the rules you display on the Rules page by a single criteria, or a combination of one or
more criteria.
more criteria.
The filter you construct is shown in the Filter text box. You can click keywords and keyword arguments
in the filter panel to construct a filter. When you select multiple keywords, the system combines them
using AND logic to create a compound search filter. For example, if you select
in the filter panel to construct a filter. When you select multiple keywords, the system combines them
using AND logic to create a compound search filter. For example, if you select
preprocessor
under
Category
and then select
Rule Content > GID
and enter
116
, you get a filter of
Category: “preprocessor”
GID:”116”
which retrieves all rules that are preprocessor rules and have a GID of 116.
The Category, Microsoft Vulnerabilities, Microsoft Worms, Platform Specific, Preprocessor, and
Priority filter groups allow you to submit more than one argument for a keyword, separated by commas.
For example, you can press Shift and then select
Priority filter groups allow you to submit more than one argument for a keyword, separated by commas.
For example, you can press Shift and then select
os-linux
and
os-windows
from
Category
to produce the
filter
Category:"os-windows,os-linux"
, which retrieves any rules in the
os-linux
category or in the
os-windows
category.
To show the filter panel, click the show icon (
).
To hide the filter panel, click the hide icon (
).
For more information, see the following topics:
•
•
Understanding Rule Filtering in an Intrusion Policy
License:
Protection
Rule filter keywords help you find the rules for which you want to apply rule settings, such as rule states
or event filters. You can filter by a keyword and simultaneously select the argument for the keyword by
selecting the argument you want from the Rules page filter panel.
or event filters. You can filter by a keyword and simultaneously select the argument for the keyword by
selecting the argument you want from the Rules page filter panel.
For more information, see the following sections:
•
•
•
•
•
Guidelines for Constructing Intrusion Policy Rule Filters
License:
Protection
In most cases, when you are building a filter, you can use the filter panel to the left of the Rules page in
the intrusion policy to select the keywords/arguments you want to use.
the intrusion policy to select the keywords/arguments you want to use.
Rule filters are grouped into rule filter groups in the filter panel. Many rule filter groups contain
sub-criteria so that you can more easily find the specific rules you are looking for. Some of the rule filters
have multiple levels that you expand to drill down to individual rules.
sub-criteria so that you can more easily find the specific rules you are looking for. Some of the rule filters
have multiple levels that you expand to drill down to individual rules.