Cisco Cisco Firepower Management Center 4000
21-12
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
Note
The Cisco VRT may use the rule update mechanism to add and remove rule filters.
Note that the rules on the Rules page may be either shared object rules (generator ID 3) or standard text
rules (generator ID 1). The following table describes the different rule filters.
rules (generator ID 1). The following table describes the different rule filters.
Table 21-4
Rule Filter Groups
Filter Group
Description
Multiple
Argument
Support?
Argument
Support?
Heading is...
Items in List are...
Rule Configuration
Finds rules according to the configuration of
the rule. See
the rule. See
.
No
A grouping
keywords
Rule Content
Finds rules according to the content of the rule.
See
See
No
A grouping
keywords
Category
Finds rules according to the rule categories
used by the rule editor. Note that local rules
appear in the local sub-group. See
used by the rule editor. Note that local rules
appear in the local sub-group. See
.
Yes
A keyword
arguments
Classifications
Finds rules according to the attack
classification that appears in the packet display
of an event generated by the rule. See
classification that appears in the packet display
of an event generated by the rule. See
No
A keyword
arguments
Microsoft
Vulnerabilities
Vulnerabilities
Finds rules according to Microsoft bulletin
number.
number.
Yes
A keyword
arguments
Microsoft Worms
Finds rules based on specific worms that affect
Microsoft Windows hosts.
Microsoft Windows hosts.
Yes
A keyword
arguments
Platform Specific
Finds rules according to their relevance to
specific versions of operating systems.
specific versions of operating systems.
Note that a rule may affect more than one
operating system or more than one version of
an operating system. For example, enabling
SID 2260 affects multiple versions of Mac OS
X, IBM AIX, and other operating systems.
operating system or more than one version of
an operating system. For example, enabling
SID 2260 affects multiple versions of Mac OS
X, IBM AIX, and other operating systems.
Yes
A keyword
arguments
Note that if you
pick one of the
items from the
sub-list, it adds a
modifier to the
argument.
pick one of the
items from the
sub-list, it adds a
modifier to the
argument.
Preprocessors
Finds rules for individual preprocessors.
Note that you must enable preprocessor rules
associated with a preprocessor option to
generate events for the option when the
preprocessor is enabled. See
associated with a preprocessor option to
generate events for the option when the
preprocessor is enabled. See
for more information.
Yes
A grouping
sub-groupings