Cisco Cisco Firepower Management Center 4000
32-73
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
To specify a Modbus function code:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
modbus_func
in the drop-down list and click
Add Option.
The
modbus_func
keyword appears.
Step 2
Specify a single defined decimal value 0 to 255 for the function code, or a single defined string. See the
table for values and strings recognized by the system.
modbus_unit
You can use the
modbus_unit
keyword to match a single decimal value against the Unit ID field in a
Modbus request or response header.
To specify a Modbus unit ID:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
modbus_unit
in the drop-down list and click
Add Option.
The
modbus_unit
keyword appears.
Step 2
Specify a decimal value 0 through 255.
DNP3 Keywords
License:
Protection
You can use DNP3 keywords to point to the beginning of application layer fragments, to match against
DNP3 function codes and objects in DNP3 responses and requests, and to match against internal
indication flags in DNP3 responses. You can use DNP3 keywords alone or in combination with other
keywords such as
DNP3 function codes and objects in DNP3 responses and requests, and to match against internal
indication flags in DNP3 responses. You can use DNP3 keywords alone or in combination with other
keywords such as
content
and
byte_jump
.
See the following sections for more information:
•
•
•
•
23
read_write_multiple_registers
24
read_fifo_queue
43
encapsulated_interface_transport
Table 32-42
Modbus Function Codes (continued)
Value
String