Cisco Cisco Firepower Management Center 4000

Keyword:”argument”

where 

 is one of the keywords in the filter groups described in the 

 table and 

 

is enclosed in double quotes and is a single, case-insensitive, alphanumeric string to search for in the 
specific field or fields relevant to the keyword. Note that keywords should be typed with initial 
capitalization.

Arguments for all keywords except 

gid

 and 

sid

 are treated as partial strings. For example, the argument 

123

 returns 

"12345"

, 

"41235"

, 

"45123",

 and so on. The arguments for 

gid

 and 

sid

 return only exact 

matches; for example, 

sid:3080

 returns only 

SID 3080

.

Each rule filter can also include one or more alphanumeric character strings. Character strings search the 
rule Message field, Signature ID, and Generator ID. For example, the string 

123

 returns the strings 

"Lotus123"

,

 "123mania"

, and so on in the rule message, and also returns 

SID 6123

, 

SID 12375

, and so 

on. For information on the rule Message field, see 

. For 

information on rule SIDs and GIDs, see 

. You can search 

for a partial SID by filtering with one or more character strings. 

All character strings are case-insensitive and are treated as partial strings. For example, any of the strings 

ADMIN

, 

admin

, or 

Admin 

return 

"admin"

, 

"CFADMIN"

, 

"Administrator"

 and so on.

You can enclose character strings in quotes to return exact matches. For example, the literal string 

"overflow attempt"

 in quotes returns only that exact string, whereas a filter comprised of the two 

strings 

overflow

 and 

attempt

 without quotes returns 

"overflow attempt"

, 

"overflow multipacket 

attempt"

, 

"overflow with evasion attempt"

, and so on.

You can narrow filter results by entering any combination of keywords, character strings, or both, 
separated by spaces. The result includes any rule that matches all the filter conditions.

You can enter multiple filter conditions in any order. For example, each of the following filters returns 
the same rules:

url:at login attempt cve:200

login attempt cve:200 url:at

login cve:200 attempt url:at

Protection

You can filter the rules on the Rules page to display a subset of rules. You can then use any of the page 
features, including selecting any of the features available in the context menu. This can be useful, for 
example, when you want to set a threshold for all the rules in a specific category. You can use the same 
features with rules in a filtered or unfiltered list. For example, you can apply new rule states to rules in 
a filtered or unfiltered list. 

You can select predefined filter keywords from the filter panel on the left side of the Rules page in the 
intrusion policy. When you select a filter, the page displays all matching rules, or indicates when no rules 
match. 

For more information on all the keywords and arguments you can use and how you can construct filters 
from the filter panel, see 

.

You can add keywords to a filter to further constrain it. Any filter you enter searches the entire rules 
database and returns all matching rules. When you enter a filter while the page still displays the result 
of a previous filter, the page clears and returns the result of the new filter instead.