Cisco Cisco Firepower Management Center 4000
32-11
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
describes how to point to the beginning of the
HTTP response entity body, SMTP payload, or encoded email attachment.
•
describes how to point to the beginning
of the packet payload.
•
describes how you can use the
base64_decode
and
base64_data
keywords to decode and inspect Base64 data, especially in HTTP requests.
Defining Intrusion Event Details
License:
Protection
As you construct a standard text rule, you can include contextual information that describes the
vulnerability that the rule detects attempts to exploit. You can also include external references to
vulnerability databases and define the priority that the event holds in your organization. When analysts
see the event, they then have information about the priority, exploit, and known mitigation readily
available.
vulnerability that the rule detects attempts to exploit. You can also include external references to
vulnerability databases and define the priority that the event holds in your organization. When analysts
see the event, they then have information about the priority, exploit, and known mitigation readily
available.
See the following sections for more information about event-related keywords:
•
•
•
•
Defining the Event Message
License:
Protection
You can specify meaningful text that appears as a message when the rule triggers. The message gives
immediate insight into the nature of the vulnerability that the rule detects attempts to exploit. You can
use any printable standard ASCII characters except curly braces (
immediate insight into the nature of the vulnerability that the rule detects attempts to exploit. You can
use any printable standard ASCII characters except curly braces (
{}
). The system strips quotes that
completely surround the message.
Tip
You must specify a rule message. Also, the message cannot consist of white space only, one or more
quotation marks only, one or more apostrophes only, or any combination of just white space, quotation
marks, or apostrophes.
quotation marks only, one or more apostrophes only, or any combination of just white space, quotation
marks, or apostrophes.
To define the event message in the rule editor, enter the event message in the
Message
field. See
for more information about using the rule editor to build rules.
Defining the Event Priority
License:
Protection
By default, the priority of a rule derives from the event classification for the rule. However, you can
override the classification priority for a rule by adding the
override the classification priority for a rule by adding the
priority
keyword to the rule.
To specify a priority using the rule editor, select
priority
from the
Detection Options
list, and select
high
,
medium
, or
low
from the drop-down list. For example, to assign a
high
priority for a rule that detects web
application attacks, add the
priority
keyword to the rule and select
high
as the priority. See
for more information about using the rule editor to build rules.