Cisco Cisco Firepower Management Center 4000
5-17
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Variable Sets
•
•
•
•
•
•
•
•
Optimizing Predefined Default Variables
License:
Protection
By default, the FireSIGHT System provides a single default variable set, which is comprised of
predefined default variables. The Cisco Vulnerability Research Team (VRT) uses rule updates to provide
new and updated intrusion rules and other intrusion policy elements, including default variables. See
predefined default variables. The Cisco Vulnerability Research Team (VRT) uses rule updates to provide
new and updated intrusion rules and other intrusion policy elements, including default variables. See
for more information.
Because many intrusion rules provided by Cisco use predefined default variables, you should set
appropriate values for these variables. Depending on how you use variable sets to identify traffic on your
network, you can modify the values for these default variables in any or all variable sets. See
appropriate values for these variables. Depending on how you use variable sets to identify traffic on your
network, you can modify the values for these default variables in any or all variable sets. See
Caution
Importing an access control or an intrusion policy overwrites existing default variables in the default
variable set with the imported default variables. If your existing default variable set contains a custom
variable not present in the imported default variable set, the unique variable is preserved. For more
information, see
variable set with the imported default variables. If your existing default variable set contains a custom
variable not present in the imported default variable set, the unique variable is preserved. For more
information, see
The following table describes the variables provided by Cisco and indicates which variables you
typically would modify. For assistance determining how to tailor variables to your network, contact
Professional Services or Support.
typically would modify. For assistance determining how to tailor variables to your network, contact
Professional Services or Support.
Table 5-2
Variables Provided by Cisco
Variable Name
Description
Modify?
$AIM_SERVERS
Defines known AOL Instant Messenger (AIM) servers, and is
used in chat-based rules and rules that look for AIM exploits.
used in chat-based rules and rules that look for AIM exploits.
Not required.
$DNS_SERVERS
Defines Domain Name Service (DNS) servers. If you create a
rule that affects DNS servers specifically, you can use the
rule that affects DNS servers specifically, you can use the
$DNS_SERVERS
variable as a destination or source IP address.
Not required in current rule set.
$EXTERNAL_NET
Defines the network that the FireSIGHT System views as the
unprotected network, and is used in many rules to define the
external network.
unprotected network, and is used in many rules to define the
external network.
Yes, you should adequately define
$HOME_NET
and then exclude
$HOME_NET
as the value for
$EXTERNAL_NET.
$FILE_DATA_PORTS
Defines non-encrypted ports used in intrusion rules that detect
files in a network stream.
files in a network stream.
Not required.