Cisco Cisco Firepower Management Center 4000
32-90
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
You can define the
setx
operator multiple times, specifying different states and the same group with
each instance.
•
When you use the
setx
operator and specify a group, you cannot use the
set
,
toggle
, or
unset
operators on that specified group.
•
The
isset
and
isnotset
operators evaluate for the specified state regardless of whether the state is
in a group.
•
During intrusion policy saves, intrusion policy reapplies, and access control policy applies
(regardless of whether the access control policy references one intrusion policy or multiple intrusion
policies), if you enable a rule that contains the
(regardless of whether the access control policy references one intrusion policy or multiple intrusion
policies), if you enable a rule that contains the
isset
or
isnotset
operator without a specified
group, and you do not enable at least one rule that affects
flowbits
assignment (
set
,
setx
,
unset
,
toggle
) for the corresponding state name and protocol, all rules that affect
flowbits
assignment for
the corresponding state name are enabled.
•
During intrusion policy saves, intrusion policy reapplies, and access control policy applies
(regardless of whether the access control policy references one intrusion policy or multiple intrusion
policies), if you enable a rule that contains the
(regardless of whether the access control policy references one intrusion policy or multiple intrusion
policies), if you enable a rule that contains the
isset
or
isnotset
operator with a specified group,
all rules that affect
flowbits
assignment (
set
,
setx
,
unset
,
toggle
) and define a corresponding
group name are also enabled.
•
Stream preprocessing must be enabled for the TCP or UDP protocol specified in rules using the
flowbits
keyword. If you enable a rule using the
flowbits
keyword in an intrusion policy where
the necessary TCP or UDP stream preprocessing is disabled, you are prompted when you try to save
your changes whether to allow the system to automatically enable the required TCP or UDP stream
preprocessing. See
your changes whether to allow the system to automatically enable the required TCP or UDP stream
preprocessing. See
for more information.
flowbits Example Using state_name
Consider the IMAP vulnerability described in Bugtraq ID #1110. This vulnerability exists in an
implementation of IMAP, specifically in the LIST, LSUB, RENAME, FIND, and COPY commands.
However, to take advantage of the vulnerability, the attacker must be logged into the IMAP server.
Because the LOGIN confirmation from the IMAP server and the exploit that follows are necessarily in
different packets, it is difficult to construct non-flow-based rules that catch this exploit. Using the
implementation of IMAP, specifically in the LIST, LSUB, RENAME, FIND, and COPY commands.
However, to take advantage of the vulnerability, the attacker must be logged into the IMAP server.
Because the LOGIN confirmation from the IMAP server and the exploit that follows are necessarily in
different packets, it is difficult to construct non-flow-based rules that catch this exploit. Using the
flowbits
keyword, you can construct a series of rules that track whether the user is logged into the
IMAP server and, if so, generate an event if one of the attacks is detected. If the user is not logged in,
the attack cannot exploit the vulnerability and no event is generated.
the attack cannot exploit the vulnerability and no event is generated.
The two rule fragments that follow illustrate this example. The first rule fragment looks for an IMAP
login confirmation from the IMAP server:
login confirmation from the IMAP server:
alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK
LOGIN"; flowbits:set,logged_in; flowbits:noalert;)
The following diagram illustrates the effect of the
flowbits
keyword in the preceding rule fragment:
Note that
flowbits:set
sets a state of
logged_in
, while
flowbits:noalert
suppresses the alert because
you are likely to see many innocuous login sessions on an IMAP server.