Cisco Cisco Firepower Management Center 4000
21-16
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
For more information on the rule content you can use to filter, see the following table.
Table 21-5
Rule Content Filters
To use this filter, click...
Then...
Result
Message
Type the message string to filter by, and
click
click
OK
.
Finds rules that contain the supplied string in the
message field.
message field.
SID
Type the SID number to filter by, and
click
click
OK
.
Finds rules that have the specified SID.
GID
Type the GID number to filter by, and
click
click
OK
.
Finds rules that have the specified GID.
Reference
Type the reference string to filter by,
and click
and click
OK
.
Finds rules that contain the supplied string in the
reference field.
reference field.
Action
Select the action to filter by:
•
To find alert rules, select
Alert
, and
click
OK
.
•
To find pass rules, select
Pass
, and
click
OK
.
Finds rules that start with
alert
or
pass
.
Protocol
Select the protocol to filter by.
Finds rules that include the selected protocol.
Direction
Select a directional setting to filter by:
•
To find rules that inspect traffic
moving in a specific direction,
select
moving in a specific direction,
select
Directional
, and click
OK
.
•
To find rules that inspect traffic
moving in either direction between
a source and destination, select
moving in either direction between
a source and destination, select
Bidirectional
, and click
OK
.
Finds rules based on whether the rule includes the
indicated directional setting.
indicated directional setting.
Source IP
Type the source IP address to filter by.
Note that you can filter by a valid IP
address, a CIDR block/prefix length, or
using variables such as
address, a CIDR block/prefix length, or
using variables such as
$HOME_NET
or
$EXTERNAL_NET
.
Finds rules that use the specified addresses or
variables for the source IP address designation in the
rule.
variables for the source IP address designation in the
rule.
Destination IP
Type the destination IP address to filter
by.
by.
Note that you can filter by a valid IP
address, a CIDR block/prefix length, or
using variables such as
address, a CIDR block/prefix length, or
using variables such as
$HOME_NET
or
$EXTERNAL_NET
.
Finds rules that use the specified addresses or
variables for the source IP address designation in the
rule.
variables for the source IP address designation in the
rule.
Source port
Type the source port to filter by. The
port value must be an integer between 1
and 65535 or a port variable.
port value must be an integer between 1
and 65535 or a port variable.
Finds rules that include the specified source port.
Destination port
Type the destination port to filter by.
The port value must be an integer
between 1 and 65535 or a port variable.
The port value must be an integer
between 1 and 65535 or a port variable.
Finds rules that include the specified destination port.