Cisco Cisco Firepower Management Center 4000
45-6
FireSIGHT System User Guide
Chapter 45 Searching for Events
Specifying Ports in Searches
When you use CIDR or prefix length notation to specify a block of IP addresses, the FireSIGHT System
uses only the portion of the network IP address specified by the mask or prefix length. For example, if
you type
uses only the portion of the network IP address specified by the mask or prefix length. For example, if
you type
10.1.2.3/8
, the FireSIGHT System uses
10.0.0.0/8
.
The following table contains examples of valid ways to enter IP addresses. Because IP addresses can be
represented by network objects, you can also click the add network object icon (
represented by network objects, you can also click the add network object icon (
) that appears next
to an IP address search field to use a network object as an IP address search criterion. For more
information, see
information, see
Specifying Ports in Searches
License:
Any
The FireSIGHT System accepts specific syntax for port numbers in searches. You can enter:
•
a single port number
•
a comma-separated list of port numbers
•
two port numbers separated by a dash to represent a range of port numbers
•
a port number followed by a protocol abbreviation, separated by a forward slash (only when
searching for intrusion events)
searching for intrusion events)
•
a port number or range of port numbers preceded by an exclamation mark to indicate a negation of
the specified ports
the specified ports
Note
Do not use spaces when specifying port numbers or ranges.
The following table contains examples of valid ways to enter ports as search constraints.
Table 45-3
Acceptable IP Address Syntax
To specify...
Type...
For example...
a single IP address
the IP address.
192.168.1.1
2001:db8::abcd
multiple IP addresses using a list
a comma-separated list of IP
addresses. Do not add a space before
or after the commas.
addresses. Do not add a space before
or after the commas.
192.168.1.1,192.168.1.2
2001:db8::b3ff, 2001:db8::0202
a range of IP addresses that can be
specified with a CIDR block or
prefix length
specified with a CIDR block or
prefix length
the IP address block in IPv4 CIDR or
IPv6 prefix length notation.
IPv6 prefix length notation.
192.168.1.0/24
This specifies any IP in the 192.168.1.0
network with a subnet mask of 255.255.255.0,
that is, 192.168.1.0 through 192.168.1.255.
For more information, see
network with a subnet mask of 255.255.255.0,
that is, 192.168.1.0 through 192.168.1.255.
For more information, see
.
a range of IP addresses that cannot
be specified with a CIDR block or
prefix
be specified with a CIDR block or
prefix
the IP address range using a hyphen.
Do not add a space before or after the
hyphen.
Do not add a space before or after the
hyphen.
192.168.1.1-192.168.1.5
2001:db8::0202-2001:db8::8329
negation of any of the other ways to
specify IP addresses or ranges of IP
addresses
specify IP addresses or ranges of IP
addresses
an exclamation point in front of the IP
address, block, or range.
address, block, or range.
192.168.0.0/32, !192.168.1.10
!2001:db8::/32
!192.168.1.10,!2001:db8::/32