Cisco Cisco Firepower Management Center 4000
32-83
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
•
Initiating Active Responses by Type and Direction
License:
Protection
You can use the
resp
keyword to actively respond to TCP connections or UDP sessions, depending on
whether you specify the TCP or UDP protocol in the rule header. See
for more information.
Keyword arguments allow you to specify the packet direction and whether to use TCP reset (RST)
packets or ICMP unreachable packets as active responses.
packets or ICMP unreachable packets as active responses.
You can use any of the TCP reset or ICMP unreachable arguments to close TCP connections. You should
use only ICMP unreachable arguments to close UDP sessions.
use only ICMP unreachable arguments to close UDP sessions.
Different TCP reset arguments also allow you to target active responses to the packet source, destination,
or both. All ICMP unreachable arguments target the packet source and allow you to specify whether to
use an ICMP network, host, or port unreachable packet, or all three.
or both. All ICMP unreachable arguments target the packet source and allow you to specify whether to
use an ICMP network, host, or port unreachable packet, or all three.
The following table lists the arguments you can use with the
resp
keyword to specify exactly what you
want the FireSIGHT System to do when the rule triggers.
For example, to configure a rule to reset both sides of a connection when a rule is triggered, use
reset_both
as the value for the
resp
keyword.
You can use a comma-separated list to specify multiple arguments as follows:
argument,argument,argument
Table 32-51
resp Arguments
Argument
Description
reset_source
Directs a TCP reset packet to the endpoint that sent the packet that triggered the rule.
Alternatively, you can specify
Alternatively, you can specify
rst_snd
, which is supported for backward
compatibility.
reset_dest
Directs a TCP reset packet to the intended destination endpoint of the packet that
triggered the rule. Alternatively, you can specify
triggered the rule. Alternatively, you can specify
rst_rcv
, which is supported for
backward compatibility.
reset_both
Directs a TCP reset packet to both the sending and receiving endpoints. Alternatively,
you can specify
you can specify
rst_all
, which is supported for backward compatibility.
icmp_net
Directs an ICMP network unreachable message to the sender.
icmp_host
Directs an ICMP host unreachable message to the sender.
icmp_port
Directs an ICMP port unreachable message to the sender. This argument is used to
terminate UDP traffic.
terminate UDP traffic.
icmp_all
Directs the following ICMP messages to the sender:
•
network unreachable
•
host unreachable
•
port unreachable