Cisco Cisco Firepower Management Center 4000
32-44
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
A packet’s time-to-live (ttl) value indicates how many hops it can make before it is dropped. You can use
the
the
ttl
keyword to test the packet’s IP header ttl value against the value, or range of values, you specify
as the keyword’s argument. It may be helpful to set the
ttl
keyword parameter to a low value such as 0
or 1, as low time-to-live values are sometimes indicative of a traceroute or intrusion evasion attempt.
(Note, though, that the appropriate value for this keyword depends on your managed device placement
and network topology.) Use syntax as follows:
(Note, though, that the appropriate value for this keyword depends on your managed device placement
and network topology.) Use syntax as follows:
•
Use an integer from 0 to 255 to set a specific value for the TTL value. You can also precede the value
with an equal (=) sign (for example, you can specify
with an equal (=) sign (for example, you can specify
5
or
=5
).
•
Use a hyphen (
-
) to specify a range of TTL values (for example,
0-2
specifies all values 0 through
2,
-5
specifies all values 0 through 5, and
5-
specifies all values 5 through 255).
•
Use the greater than (>) sign to specify TTL values greater than a specific value (for example,
>3
specifies all values greater than 3).
•
Use the greater than and equal to signs (>=) to specify TTL values greater than or equal to a specific
value (for example,
value (for example,
>=3
specifies all values greater than or equal to 3).
•
Use the less than (<) sign to specify TTL values less than a specific value (for example,
<3
specifies
all values less than 3).
•
Use the less than and equal to signs (<=) to specify TTL values less than or equal to a specific value
(for example,
(for example,
<=3
specifies all values less than or equal to 3).
Inspecting ICMP Header Values
License:
Protection
The FireSIGHT System supports keywords that you can use to identify attacks and security policy
violations in the headers of ICMP packets. Note, however, that predefined rules exist that detect most
ICMP types and codes. Consider enabling an existing rule or creating a local rule based on an existing
rule; you may be able to find a rule that meets your needs more quickly than if you build an ICMP rule
from scratch.
violations in the headers of ICMP packets. Note, however, that predefined rules exist that detect most
ICMP types and codes. Consider enabling an existing rule or creating a local rule based on an existing
rule; you may be able to find a rule that meets your needs more quickly than if you build an ICMP rule
from scratch.
See the following sections for more information about ICMP-specific keywords:
•
•
•
Identifying Static ICMP ID and Sequence Values
License:
Protection
The ICMP identification and sequence numbers help associate ICMP replies with ICMP requests. In
normal traffic, these values are dynamically assigned to packets. Some covert channel and Distributed
Denial of Server (DDoS) programs use static ICMP ID and sequence values. The following keywords
allow you to identify ICMP packets with static values.
normal traffic, these values are dynamically assigned to packets. Some covert channel and Distributed
Denial of Server (DDoS) programs use static ICMP ID and sequence values. The following keywords
allow you to identify ICMP packets with static values.
icmp_id
The
icmp_id
keyword inspects an ICMP echo request or reply packet's ICMP ID number. Use a numeric
value that corresponds with the ICMP ID number as the argument for the
icmp_id
keyword.