Cisco Cisco Firepower Management Center 2000

Protection

The FireSIGHT System places rules in categories based on the type of traffic the rule detects. On the 
Rules page, you can filter by rule category so you can set a rule attribute for all rules in a category. For 
example, if you do not have Linux hosts on your network, you might filter by the 

 category and 

then disable all the rules showing to disable the entire 

 category.

You can hover your pointer over a category name to display the number of rules in the category.

The Cisco VRT may use the rule update mechanism to add and remove rule categories.

Protection

You can edit your filter to modify the special keywords and their arguments that are supplied when you 
click on a filter in the filter panel. Custom filters on the Rules page function like those used in the rule 
editor, but you can also use any of the keywords supplied in the Rules page filter, using the syntax 
displayed when you select the filter through the filter panel. To determine a keyword for future use, click 
on the appropriate argument in the filter panel on the right. The filter keyword and argument syntax 
appear in the filter text box. 

To see lists of arguments for keywords which only support specific values, see 

. Remember that comma-separated multiple arguments for a keyword are 

only supported for the Category and Priority filter types. 

You can use keywords and arguments, character strings, and literal character strings in quotes, with 
spaces separating multiple filter conditions. A filter cannot include regular expressions, wild card 
characters, or any special operator such as a negation character (!), a greater than symbol (>), less than 
symbol (<), and so on. When you type in search terms without a keyword, without initial capitalization 
of the keyword, or without quotes around the argument, the search is treated as a string search and the 
category, message, and SID fields are searched for the specified terms.

All keywords, keyword arguments, and character strings are case-insensitive. Except for the 

gid

 and 

sid

 

keywords, all arguments and strings are treated as partial strings. Arguments for 

gid

 and 

sid

 return only 

exact matches.

Each rule filter can include one or more keywords in the format:

Rule Overhead

Select the amount of rule overhead to 
filter by.

Finds rules with the selected rule overhead.

Metadata

Type the metadata key-value pair to 
filter by, separated by a space.

For example, type 

metadata:”service 

http”

 to locate rules with metadata 

relating to the HTTP application 
protocol. 

Find rules with metadata containing the matching 
key-value pair.