Cisco Cisco Firepower Management Center 4000
32-7
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Rule Headers
Note
You must surround negated lists with brackets. See
for more information.
You can also use IPv4 Classless Inter-Domain Routing (CIDR) notation or IPv6 prefix lengths to specify
address blocks. For example:
address blocks. For example:
•
192.168.1.0/24 specifies the IPv4 addresses in the 192.168.1.0 network with a subnet mask of
255.255.255.0, that is, 192.168.1.0 through 192.168.1.255. For more information, see
255.255.255.0, that is, 192.168.1.0 through 192.168.1.255. For more information, see
.
•
2001:db8::/32 specifies the IPv6 addresses in the 2001:db8:: network with a prefix length of 32 bits,
that is, 2001:db8:: through 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
that is, 2001:db8:: through 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
Tip
If you need to specify a block of IP addresses but cannot express it using CIDR or prefix length notation
alone, you can use CIDR blocks and prefix lengths in an IP address list.
alone, you can use CIDR blocks and prefix lengths in an IP address list.
Specifying Network Objects
License:
Protection
You can specify a network object or network object group using the syntax:
${object_name | group_name}
where:
•
object_name
is the name of a network object
•
group_name
is the name of a network object group
See
for information on creating network objects and network
object groups.
Consider the case where you have created a network object named
192.168sub16
and a network object
group named
all_subnets
. You could specify the following to identify IP addresses using the network
object:
${192.168sub16}
and you could specify the following to use the network object group:
${all_subnets}
You can also use negation with network objects and network object groups. For example:
!${192.168sub16}
See
for more information.
Excluding IP Addresses in Intrusion Rules
License:
Protection
You can use an exclamation point (
!
) to negate a specified IP address. That is, you can match any IP
address with the exception of the specified IP address or addresses. For example,
!192.168.1.1
specifies
any IP address other than 192.168.1.1, and
!2001:db8:ca2e::fa4c
specifies any IP address other than
2001:db8:ca2e::fa4c.
To negate a list of IP addresses, place
!
before a bracketed list of IP addresses. For example,
![192.168.1.1,192.168.1.5]
would define any IP address other than 192.168.1.1 or 192.168.1.5.