Cisco Cisco Firepower Management Center 2000
32-103
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Searching for Rules
Step 1
Select
Policies > Intrusion > Rule Editor
.
The Rule Editor page appears.
Step 2
You have two choices:
•
Click
Delete Local Rules
, then click
OK
.
All rules not currently enabled in an intrusion policy whose changes you have saved are deleted from
the local rule category and moved to the deleted category.
the local rule category and moved to the deleted category.
•
Navigate through the folders to the local rule category; click on the local rule category to expand it,
then click the delete icon (
then click the delete icon (
) next to a rule you want to delete.
The rule is deleted from the local rule category and moved to the deleted category.
Note that custom standard text rules have a generator ID (GID) of 1 (for example, 1:1000012) and
custom shared object rules have a GID of 3 (for example, 3:1000005).
custom shared object rules have a GID of 3 (for example, 3:1000005).
Tip
The system also stores shared object rules that you save with modified header information in the local
rule category and lists them with a GID of 3. You can delete your modified version of a shared object
rule, but you cannot delete the original shared object rule.
rule category and lists them with a GID of 3. You can delete your modified version of a shared object
rule, but you cannot delete the original shared object rule.
Searching for Rules
License:
Protection
The FireSIGHT System provides thousands of standard text rules, and the Cisco Vulnerability Research
Team continues to add rules as new vulnerabilities and exploits are discovered. You can easily search for
specific rules so that you can activate, deactivate, or edit them.
Team continues to add rules as new vulnerabilities and exploits are discovered. You can easily search for
specific rules so that you can activate, deactivate, or edit them.
The following table describes the available search options:
Table 32-59
Rule Search Criteria
Option
Description
Signature ID
To search for a single rule based on Snort ID (also called the Signature ID), enter
a Snort ID number. To search for multiple rules, enter a comma-separated list of
Snort ID numbers. This field has an 80-character limit.
a Snort ID number. To search for multiple rules, enter a comma-separated list of
Snort ID numbers. This field has an 80-character limit.
Generator ID
To search for standard text rules, select
1
. To search for shared object rules, select
3
.
Message
To search for a rule with a specific message, enter a single word from the rule
message in the
message in the
Message
field. For example, to search for DNS exploits, you would
enter
DNS
, or to search for buffer overflow exploits, enter
overflow
.
Protocol
To search rules that evaluate traffic of a specific protocol, select the protocol. If you
do not select a protocol, search results contain rules for all protocols.
do not select a protocol, search results contain rules for all protocols.
Source Port
To search for rules that inspect packets originating from a specified port, enter a
source port number or a port-related variable.
source port number or a port-related variable.
Destination Port
To search for rules that inspect packets destined for a specific port, enter a
destination port number or a port-related variable.
destination port number or a port-related variable.