Cisco Cisco Firepower Management Center 4000
32-5
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Rule Headers
Specifying IP Addresses In Intrusion Rules
License:
Protection
Restricting packet inspection to the packets originating from specific IP addresses or destined to a
specific IP address reduces the amount of packet inspection the system must perform. This also reduces
false positives by making the rule more specific and removing the possibility of the rule triggering
against packets whose source and destination IP addresses do not indicate suspicious behavior.
specific IP address reduces the amount of packet inspection the system must perform. This also reduces
false positives by making the rule more specific and removing the possibility of the rule triggering
against packets whose source and destination IP addresses do not indicate suspicious behavior.
Tip
The system recognizes only IP addresses and does not accept host names for source or destination IP
addresses.
addresses.
Within the rule editor, you specify source and destination IP addresses in the
Source IPs
and
Destination
IPs
fields. See
for more information about the procedures you use to
build a rule header using the rule editor.
When writing standard text rules, you can specify IPv4 and IPv6 addresses in a variety of ways,
depending on your needs. You can specify a single IP address,
depending on your needs. You can specify a single IP address,
any
, IP address lists, CIDR notation,
prefix lengths, a network variable, or a network object or network object group. Additionally, you can
indicate that you want to exclude a specific IP address or set of IP addresses. When specifying IPv6
addresses, you can use any addressing convention defined in RFC 4291.
indicate that you want to exclude a specific IP address or set of IP addresses. When specifying IPv6
addresses, you can use any addressing convention defined in RFC 4291.
The following table summarizes the various ways you can specify source and destination IP addresses.
Table 32-2
Source/Destination IP Address Syntax
To Specify...
Use...
Example
any IP address
any
any
a specific IP address
the IP address
Note that you would not mix IPv4 and IPv6
source and destination addresses in the same
rule.
source and destination addresses in the same
rule.
192.168.1.1
2001:db8::abcd
a list of IP addresses
brackets (
[]
) to enclose the IP addresses and
commas to separate them
[192.168.1.1,192.168.1.15]
[2001:db8::b3ff, 2001:db8::0202]
a block of IP addresses
IPv4 CIDR block or IPv6 address prefix
notation
notation
192.168.1.0/24
2001:db8::/32
anything except a specific IP
address or set of addresses
address or set of addresses
the
!
character before the IP address or
addresses you want to negate
!192.168.1.15
!
2001:db8::0202:b3ff:fe1e
anything in a block of IP addresses
except one or more specific IP
addresses
except one or more specific IP
addresses
a block of addresses followed by a list of
negated addresses or blocks
negated addresses or blocks
[10.0.0/8, !10.2.3.4, !10.1.0.0/16]
[2001:db8::/32, !2001:db8::8329,
!2001:db8::0202]
IP addresses defined by a network
variable
variable
the variable name, in uppercase letters,
preceded by
preceded by
$
Note that preprocessor rules can trigger
events regardless of the hosts defined by
network variables used in intrusion rules.
See
events regardless of the hosts defined by
network variables used in intrusion rules.
See
for more information.
$HOME_NET