Cisco Cisco Firepower Management Center 4000
32-88
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
For example, when a rule with the following
tag
keyword value triggers:
host, 30, seconds, dst
all packets that are transmitted from the client to the host for the next 30 seconds are logged.
Detecting Attacks That Span Multiple Packets
License:
Protection
Use the
flowbits
keyword to assign state names to sessions. By analyzing subsequent packets in a
session according to the previously named state, the system can detect and alert on exploits that span
multiple packets in a single session.
multiple packets in a single session.
The
flowbits
state name is a user-defined label assigned to packets in a specific part of a session. You
can label packets with state names based on packet content to help distinguish malicious packets from
those you do not want to alert on. You can define up to 1024 state names per managed device. For
example, if you want to alert on malicious packets that you know only occur after a successful login, you
can use the
those you do not want to alert on. You can define up to 1024 state names per managed device. For
example, if you want to alert on malicious packets that you know only occur after a successful login, you
can use the
flowbits
keyword to filter out the packets that constitute an initial login attempt so you can
focus only on the malicious packets. You can do this by first creating a rule that labels all packets in the
session that have an established login with a
session that have an established login with a
logged_in
state, then creating a second rule where
flowbits
checks for packets with the state you set in the first rule and acts only on those packets. See
for an example that uses
flowbits
to determine if a user
is logged in.
An optional group name allows you to include a state name in a group of states. A state name can belong
to several groups. States not associated with a group are not mutually exclusive, so a rule that triggers
and sets a state that is not associated with a group does not affect other currently set states. See
to several groups. States not associated with a group are not mutually exclusive, so a rule that triggers
and sets a state that is not associated with a group does not affect other currently set states. See
for an example that illustrates how including a state
name in a group can prevent false positives by unsetting another state in the same group.
The following table describes the various combinations of operators, states, and groups available to the
flowbits
keyword. Note that state names can contain alphanumeric characters, periods (.), underscores
(_), and dashes (-).
Table 32-55
Logging Metrics Arguments
Argument
Description
packets
Logs the number of packets specified by the count after the rule triggers.
seconds
Logs traffic for the number of seconds specified by the count after the rule triggers.
Table 32-56
flowbits Options
Operator
State Option
Group
Description
set
state_name
optional
Sets the specified state for a packet. Sets the
state in the specified group if a group is
defined.
state in the specified group if a group is
defined.
state_name&state_name
optional
Sets the specified states for a packet. Sets the
states in the specified group if a group is
defined.
states in the specified group if a group is
defined.