Cisco Cisco Firepower Management Center 4000

author s

 to display all rules where you have used 

author

 for 

 and any terms such as 

SnortGuru

 

or 

SnortUser1

 or 

SnortUser2

 for 

.

When you search for both 

 and 

, use the same connecting operator (equal to [=] or a space 

character) in searches that is used in the 

 statement in the rule; searches return different results 

depending on whether you follow 

 with equal to (=) or a space character.

Note that regardless of the format you use to add metadata, the system interprets your metadata search 
term as all or part of a 

or 

key=value 

statement. For example, the following would be valid 

metadata that does not follow a 

or 

key=value

 format:

ab cd ef gh

However, the system would interpret each space in the example as a separator between a key and value. 
Thus, you could successfully locate a rule containing the example metadata using any of the following 
searches for juxtaposed and single terms:

cd ef

ef gh

ef

but you would not locate the rule using the following search, which the system would interpret as a single 

 statement:

ab ef

For more information, see 

Protection

You can use the following reserved 

 statement in a 

metadata

 keyword:

impact_flag red

This 

 statement sets the impact flag to red (level 1) for a local rule you import or a custom rule 

you create using the rule editor.

Note that when the Cisco Vulnerability Research Team (VRT) includes the 

impact_flag red

 statement 

in a rule provided by Cisco, VRT has determined that a packet triggering the rule indicates that the source 
or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. 
See 

 a for more information.

Protection

You can use keywords to identify possible attacks or security policy violations in the IP headers of 
packets. See the following sections for more information: