Cisco Cisco Firepower Management Center 4000
32-47
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
When using the
flags
keyword, you can use an operator to indicate how the system performs matches
against multiple flags. The following table describes these operators.
Applying Rules to a TCP or UDP Client or Server Flow
License:
Protection
You can use the
flow
keyword to select packets for inspection by a rule based on session characteristics.
The
flow
keyword allows you to specify the direction of the traffic flow to which a rule applies, applying
rules to either the client flow or server flow. To specify how the
flow
keyword inspects your packets, you
can set the direction of traffic you want analyzed, the state of packets inspected, and whether the packets
are part of a rebuilt stream.
are part of a rebuilt stream.
Stateful inspection of packets occurs when rules are processed. If you want a TCP rule to ignore stateless
traffic (traffic without an established session context), you must add the
traffic (traffic without an established session context), you must add the
flow
keyword to the rule and
select the
Established
argument for the keyword. If you want a UDP rule to ignore stateless traffic, you
must add the
flow
keyword to the rule and select either the
Established
argument or a directional
argument, or both. This causes the TCP or UDP rule to perform stateful inspection of a packet.
When you add a directional argument, the rules engine inspects only those packets that have an
established state with a flow that matches the direction specified. For example, if you add the
established state with a flow that matches the direction specified. For example, if you add the
flow
keyword with the
established
argument and the
From Client
argument to a rule that triggers when a
TCP or UDP connection is detected, the rules engine only inspects packets that are sent from the client.
Tip
For maximum performance, always include a
flow
keyword in a TCP rule or a UDP session rule.
CWR
An ECN congestion window has been reduced. This was
formerly the R1 argument, which is still supported for
backward compatibility.
formerly the R1 argument, which is still supported for
backward compatibility.
ECE
ECN echo. This was formerly the R2 argument, which is
still supported for backward compatibility.
still supported for backward compatibility.
Table 32-25
flag Arguments (continued)
Argument
TCP Flag
Table 32-26
Operators Used with flags
Operator
Description
Example
all
The packet must contain all
specified flags.
specified flags.
Select
Urg
and
all
to specify that a packet must contain the Urgent flag and
may contain any other flags.
any
The packet can contain any of
the specified flags.
the specified flags.
Select
Ack
,
Psh
, and
any
to specify that either or both the
Ack
and
Psh
flags
must be set to trigger the rule, and that other flags may also be set on a packet.
not
The packet must not contain
the specified flag set.
the specified flag set.
Select
Urg
and
not
to specify that the Urgent flag is not set on packets that
trigger this rule.