Cisco Cisco Firepower Management Center 4000
21-11
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
Items in the filter panel sometimes represent filter type groups, sometimes represent keywords, and
sometimes represent the argument to a keyword. Use the following rules of thumb to help you build your
filters:
sometimes represent the argument to a keyword. Use the following rules of thumb to help you build your
filters:
•
When you select a filter type group heading that is not a keyword (Rule Configuration, Rule Content,
Platform Specific, and Priority), it expands to list the available keywords.
Platform Specific, and Priority), it expands to list the available keywords.
When you select a keyword by clicking on a node in the criteria list, a pop-up window appears where
you supply the argument you want to filter by.
you supply the argument you want to filter by.
If that keyword is already used in the filter, the argument you supply replaces the existing argument
for that keyword.
for that keyword.
For example, if you click
Drop and Generate Events
under Rule Configuration > Recommendation in
the filter panel,
Recommendation:"Drop and Generate Events"
is added to the filter text box. If
you then click
Generate Events
under Rule Configuration > Recommendation, the filter changes to
Recommendation:"Generate Events"
.
•
When you select a filter type group heading that is a keyword (Category, Classifications, Microsoft
Vulnerabilities, Microsoft Worms, Priority, and Rule Update), it lists the available arguments.
Vulnerabilities, Microsoft Worms, Priority, and Rule Update), it lists the available arguments.
When you select an item from this type of group, the argument and the keyword it applies to are
immediately added to the filter. If the keyword is already in the filter, it replaces the existing
argument for the keyword that corresponds to that group.
immediately added to the filter. If the keyword is already in the filter, it replaces the existing
argument for the keyword that corresponds to that group.
For example, if you click
os-linux
under Category in the filter panel,
Category:"os-linux"
is added
to the filter text box. If you then click
os-windows
under Category, the filter changes to
Category:"os-windows"
.
•
Reference under Rule Content is a keyword, and so are the specific reference ID types listed below
it. When you select any of the reference keywords, a pop-up window appears where you supply an
argument and the keyword is added to the existing filter. If the keyword is already in use in the filter,
the new argument you supply replaces the existing argument.
it. When you select any of the reference keywords, a pop-up window appears where you supply an
argument and the keyword is added to the existing filter. If the keyword is already in use in the filter,
the new argument you supply replaces the existing argument.
For example, if you click
Rule Content > Reference > CVE ID
in the filter panel, a pop-up window prompts
you to supply the CVE ID. If you enter
2007
, then
CVE:”2007”
is added to the filter text box. In
another example, if you click
Rule Content > Reference
in the filter panel, a pop-up window prompts
you to supply the reference. If you enter
2007
, then
Reference:”2007”
is added to the filter text box.
•
When you select rule filter keywords from different groups, each filter keyword is added to the filter
and any existing keywords are maintained (unless overridden by a new value for the same keyword).
and any existing keywords are maintained (unless overridden by a new value for the same keyword).
For example, if you click
os-linux
under Category in the filter panel,
Category:"os-linux"
is added
to the filter text box. If you then click
MS00-006
under Microsoft Vulnerabilities, the filter changes
to
Category:"os-linux" MicrosoftVulnerabilities:"MS00-006"
.
•
When you select multiple keywords, the system combines them using AND logic to create a
compound search filter. For example, if you select
compound search filter. For example, if you select
preprocessor
under
Category
and then select
Rule
Content > GID
and enter
116
, you get a filter of
Category: “preprocessor” GID:”116”
, which
retrieves all rules that are preprocessor rules and have a GID of 116.
•
The Category, Microsoft Vulnerabilities, Microsoft Worms, Platform Specific, and Priority filter
groups allow you to submit more than one argument for a keyword, separated by commas. For
example, you can press Shift and then select
groups allow you to submit more than one argument for a keyword, separated by commas. For
example, you can press Shift and then select
os-linux
and
os-windows
from
Category
to produce the
filter
Category:"os-windows,app-detect"
, which retrieves any rules in the
os-linux
category or
in the
os-windows
category.
The same rule may be retrieved by more than one filter keyword/argument pair. For example, the DOS
Cisco attempt rule (SID 1545) appears if rules are filtered by the
Cisco attempt rule (SID 1545) appears if rules are filtered by the
dos
category, and also if you filter by
the High priority.