Cisco Cisco Firepower Management Center 4000

32-76

FireSIGHT System User Guide

Chapter 32 Understanding and Writing Intrusion Rules

Understanding Keywords and Arguments in Rules

The following list provides the string syntax recognized by the system for defined DNP3 internal
indications flags.

class_1_events

class_2_events

class_3_events

need_time

local_control

device_trouble

device_restart

no_func_code_support

object_unknown

parameter_error

event_buffer_overflow

already_executing

config_corrupt

reserved_2

reserved_1

To specify DNP3 internal indications flags:

Access:

Admin/Intrusion Admin

Step 1

On the Create Rule page, select

dnp3_ind

in the drop-down list and click

Add Option.

The

dnp3_ind

keyword appears.

Step 2

You can specify the string for a single known flag or a comma-separated list of flags.

dnp3_obj

You can use the

dnp3_obj

keyword to match against DNP3 object headers in a request or response.

DNP3 data is comprised of a series of DNP3 objects of different types such as analog input, binary input,
and so on. Each type is identified with a group such as analog input group, binary input group, and so
on, each of which can be identified by a decimal value. The objects in each group are further identified
by an object variation such as 16-bit integers, 32-bit integers, short floating point, and so on, each of
which specifies the data format of the object. Each type of object variation can also be identified by a
decimal value.

You identify object headers by specifying the decimal number for the type of object header group and
the decimal number for the type of object variation. The combination of the two defines a specific type
of DNP3 object.

To specify a DNP3 object: