Cisco Cisco Firepower Management Center 4000
32-48
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
To specify flow, select the
flow
keyword from the
Detection Options
list on the Create Rule page and click
Add Option
. Next, select the arguments from the list provided for each field.
The following table describes the stream-related arguments you can specify for the
flow
keyword:
The following table describes the directional options you can specify for the
flow
keyword:
Notice that
From Server
and
To Client
perform the same function, as do
To Server
and
From Client
.
These options exist to add context and readability to the rule. For example, if you create a rule designed
to detect an attack from a server to a client, use
to detect an attack from a server to a client, use
From Server
. But, if you create a rule designed to detect
an attack from the client to the server, use
From Client
.
The following table describes the stream-related arguments you can specify for the
flow
keyword:
To use the
Established
and
Only Stream traffic
arguments in TCP or UDP stream preprocessing
rules, TCP or UDP stream preprocessing must be enabled as needed. When the required preprocessor is
disabled and you enable rules that include these arguments, you are prompted whether to enable the
required TCP or UDP preprocessor when you save the policy. See
disabled and you enable rules that include these arguments, you are prompted whether to enable the
required TCP or UDP preprocessor when you save the policy. See
for information about using TCP stream
preprocessing. See
for information about using UDP
stream preprocessing. See
for more information
on automatically enabling processors.
For example, you can use
To Server, Established, Only Stream Traffic
as the value for the
flow
keyword to detect traffic, traveling from a client to the server in an established session, that has been
reassembled by the stream preprocessor.
reassembled by the stream preprocessor.
Identifying Static TCP Sequence Numbers
License:
Protection
Table 32-27
State-Related flow Arguments
Argument
Description
Established
Triggers on established connections.
Stateless
Triggers regardless of the state of the stream processor.
Table 32-28
flow Directional Arguments
Argument
Description
To Client
Triggers on server responses.
To Server
Triggers on client responses.
From Client
Triggers on client responses.
From Server
Triggers on server responses.
Table 32-29
Stream-Related flow Arguments
Argument
Description
Ignore Stream Traffic
Does not trigger on rebuilt stream packets.
Only Stream Traffic
Triggers only on rebuilt stream packets.