Cisco Cisco Firepower Management Center 4000
32-87
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Note that you can use the
detection_filter
keyword in any combination with the intrusion event
thresholding, intrusion event suppression, and rate-based attack prevention features in an intrusion
policy. Note also that policy validation fails if you enable an imported local rule that uses the deprecated
policy. Note also that policy validation fails if you enable an imported local rule that uses the deprecated
threshold
keyword in combination with the intrusion event thresholding feature in an intrusion policy.
See
,
for
more information.
Evaluating Post-Attack Traffic
License:
Protection
Use the
tag
keyword to tell the system to log additional traffic for the host or session. Use the following
syntax when specifying the type and amount of traffic you want to capture using the
tag
keyword:
tagging_type, count, metric, optional_direction
The next three tables describe the other available arguments.
You can choose from two types of tagging. The following table describes the two types of tagging. Note
that the session tag argument type causes the system to log packets from the same session as if they came
from different sessions if you configure only rule header options in the intrusion rule. To group packets
from the same session together, configure one or more rule options (such as a
that the session tag argument type causes the system to log packets from the same session as if they came
from different sessions if you configure only rule header options in the intrusion rule. To group packets
from the same session together, configure one or more rule options (such as a
flag
keyword or
content
keyword) within the same intrusion rule.
To indicate how much traffic you want to log, use the following argument:
Select the metric you want to use to log by time or volume of traffic from those described in the following
table.
table.
Caution
High-bandwidth networks can see thousands of packets per second, and tagging a large number of
packets may seriously affect performance, so make sure you tune this setting for your network
environment.
packets may seriously affect performance, so make sure you tune this setting for your network
environment.
Table 32-53
Tag Arguments
Argument
Description
session
Logs packets in the session that triggered the rule.
host
Logs packets from the host that sent the packet that triggered the rule. You can add a
directional modifier to log only the traffic coming from the host (
directional modifier to log only the traffic coming from the host (
src
) or going to the host
(
dst
).
Table 32-54
Count Argument
Argument
Description
count
The number of packets or seconds you want to log after the rule triggers.
This unit of measure is specified with the metric argument, which follows the count
argument.
argument.