Cisco Cisco Firepower Management Center 4000
5-18
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Variable Sets
$FTP_PORTS
Defines the ports of FTP servers on your network, and is used for
FTP server exploit rules.
FTP server exploit rules.
Yes, if your FTP servers use ports
other than the default ports (you can
view the default ports in the web
interface).
other than the default ports (you can
view the default ports in the web
interface).
$GTP_PORTS
Defines the data channel ports where the packet decoder extracts
the payload inside a GTP (General Packet Radio Service [GPRS]
Tunneling Protocol) PDU.
the payload inside a GTP (General Packet Radio Service [GPRS]
Tunneling Protocol) PDU.
Not required.
$HOME_NET
Defines the network that the associated intrusion policy
monitors, and is used in many rules to define the internal
network.
monitors, and is used in many rules to define the internal
network.
Yes, to include the IP addresses for
your internal network.
your internal network.
$HTTP_PORTS
Defines the ports of web servers on your network, and is used for
web server exploit rules.
web server exploit rules.
Yes, if your web servers use ports
other than the default ports (you can
view the default ports in the web
interface).
other than the default ports (you can
view the default ports in the web
interface).
$HTTP_SERVERS
Defines the web servers on your network. Used in web server
exploit rules.
exploit rules.
Yes, if you run HTTP servers.
$ORACLE_PORTS
Defines Oracle database server ports on your network, and is
used in rules that scan for attacks on Oracle databases.
used in rules that scan for attacks on Oracle databases.
Yes, if you run Oracle servers.
$SHELLCODE_PORTS
Defines the ports you want the system to scan for shell code
exploits, and is used in rules that detect exploits that use shell
code.
exploits, and is used in rules that detect exploits that use shell
code.
Not required.
$SIP_PORTS
Defines the ports of SIP servers on your network, and is used for
SIP exploit rules.
SIP exploit rules.
Not required.
$SIP_SERVERS
Defines SIP servers on your network, and is used in rules that
address SIP-targeted exploits.
address SIP-targeted exploits.
Yes, if you run SIP servers, you
should adequately define
should adequately define
$HOME_NET
and then include
$HOME_NET
as the
value for
$SIP_SERVERS.
$SMTP_SERVERS
Defines SMTP servers on your network, and is used in rules that
address exploits that target mail servers.
address exploits that target mail servers.
Yes, if you run SMTP servers.
$SNMP_SERVERS
Defines SNMP servers on your network, and is used in rules that
scan for attacks on SNMP servers.
scan for attacks on SNMP servers.
Yes, if you run SNMP servers.
$SNORT_BPF
Identifies a legacy advanced variable that appears only when it
existed on your system in a FireSIGHT System software release
before Version 5.3.0 that you subsequently upgraded to Version
5.3.0 or greater. See
existed on your system in a FireSIGHT System software release
before Version 5.3.0 that you subsequently upgraded to Version
5.3.0 or greater. See
No, you can only view or delete this
variable. You cannot edit it or recover
it after deleting it.
variable. You cannot edit it or recover
it after deleting it.
$SQL_SERVERS
Defines database servers on your network, and is used in rules
that address database-targeted exploits.
that address database-targeted exploits.
Yes, if you run SQL servers.
$SSH_PORTS
Defines the ports of SSH servers on your network, and is used
for SSH server exploit rules.
for SSH server exploit rules.
Yes, if your SSH servers use ports
other than the default port (you can
view the default ports in the web
interface).
other than the default port (you can
view the default ports in the web
interface).
Table 5-2
Variables Provided by Cisco (continued)
Variable Name
Description
Modify?