Cisco Cisco Firepower Management Center 4000 Manual

Page of 1844
 
32-3
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules
  Understanding Rule Headers
The following table describes each part of the rule header shown above.
Note
The previous example uses default variables, as do most intrusion rules. See 
 for more information about variables, what they mean, and how to configure them.
See the following sections for more information about rule header parameters:
  •
 describes rule types and explains how to specify the action that 
occurs when the rule triggers.
  •
 explains how to define the traffic protocol for traffic that the rule 
should test.
  •
 explains how to define the individual IP 
addresses and IP address blocks in the rule header.
  •
 explains how to define the individual ports and port 
ranges in the rule header.
  •
 describes the available operators and explains how to specify the 
direction traffic must be traveling to be tested by the rule. 
Table 32-1
Rule Header Values 
Rule Header 
Component
Example Value
This Value...
Action
alert
Generates an intrusion event when triggered.
Protocol
tcp 
Tests TCP traffic only.
Source IP Address
$EXTERNAL_NET
Tests traffic coming from any host that is not on your 
internal network.
Source Ports
any
Tests traffic coming from any port on the originating host.
Operator
->
Tests external traffic (destined for the web servers on your 
network).
Destination IP 
Address
$HTTP_SERVERS
Tests traffic to be delivered to any host specified as a web 
server on your internal network.
Destination Ports
$HTTP_PORTS
Tests traffic delivered to an HTTP port on your internal 
network.
downloadlike
ArtboardArtboardArtboard
Report Bug