Cisco Cisco Firepower Management Center 4000
32-4
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Rule Headers
Specifying Rule Actions
License:
Protection
Each rule header includes a parameter that specifies the action the system takes when a packet triggers
a rule. Rules with the action set to alert generate an intrusion event against the packet that triggered the
rule and log the details of that packet. Rules with the action set to pass do not generate an event against,
or log the details of, the packet that triggered the rule.
a rule. Rules with the action set to alert generate an intrusion event against the packet that triggered the
rule and log the details of that packet. Rules with the action set to pass do not generate an event against,
or log the details of, the packet that triggered the rule.
Note
In an inline deployment, rules with the rule state set to Drop and Generate Events generate an intrusion
event against the packet that triggered the rule. Also, if you apply a drop rule in a passive deployment,
the rule acts as an alert rule. For more information on drop rules, see
event against the packet that triggered the rule. Also, if you apply a drop rule in a passive deployment,
the rule acts as an alert rule. For more information on drop rules, see
By default, pass rules override alert rules. You can create pass rules to prevent packets that meet criteria
defined in the pass rule from triggering the alert rule in specific situations, rather than disabling the alert
rule. For example, you might want a rule that looks for attempts to log into an FTP server as the user
“anonymous” to remain active. However, if your network has one or more legitimate anonymous FTP
servers, you could write and activate a pass rule that specifies that, for those specific servers, anonymous
users do not trigger the original rule.
defined in the pass rule from triggering the alert rule in specific situations, rather than disabling the alert
rule. For example, you might want a rule that looks for attempts to log into an FTP server as the user
“anonymous” to remain active. However, if your network has one or more legitimate anonymous FTP
servers, you could write and activate a pass rule that specifies that, for those specific servers, anonymous
users do not trigger the original rule.
Within the rule editor, you select the rule type from the
Action
list. For more information about the
procedures you use to build a rule header using the rule editor, see
.
Specifying Protocols
License:
Protection
In each rule header, you must specify the protocol of the traffic the rule inspects. You can specify the
following network protocols for analysis:
following network protocols for analysis:
•
ICMP (Internet Control Message Protocol)
•
IP (Internet Protocol)
Note
The system ignores port definitions in an intrusion rule header when the protocol is set to
ip
. For more information, see
•
TCP (Transmission Control Protocol)
•
UDP (User Datagram Protocol)
Use
Note
You cannot currently write rules that match patterns in the next header (for example, the TCP header) in
an IP payload. Instead, content matches begin with the last decoded protocol. As a workaround, you can
match patterns in TCP headers by using rule options.
an IP payload. Instead, content matches begin with the last decoded protocol. As a workaround, you can
match patterns in TCP headers by using rule options.
Within the rule editor, you select the protocol type from the
Protocol
list. See
for more information about the procedures you use to build a rule header using the rule
editor.