Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Firepower Management Center 4000

Cisco Cisco Firepower Management Center 4000

Download
Page of 1844
 
32-90
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules 
  Understanding Keywords and Arguments in Rules
  •
You can define the 
setx
 operator multiple times, specifying different states and the same group with 
each instance.
  •
When you use the 
setx
 operator and specify a group, you cannot use the 
set
toggle
, or 
unset
 
operators on that specified group.
  •
The 
isset
 and 
isnotset
 operators evaluate for the specified state regardless of whether the state is 
in a group.
  •
During intrusion policy saves, intrusion policy reapplies, and access control policy applies 
(regardless of whether the access control policy references one intrusion policy or multiple intrusion 
policies), if you enable a rule that contains the 
isset
 or 
isnotset
 operator without a specified 
group, and you do not enable at least one rule that affects 
flowbits
 assignment (
set
setx
unset
toggle
) for the corresponding state name and protocol, all rules that affect 
flowbits
 assignment for 
the corresponding state name are enabled.
  •
During intrusion policy saves, intrusion policy reapplies, and access control policy applies 
(regardless of whether the access control policy references one intrusion policy or multiple intrusion 
policies), if you enable a rule that contains the 
isset
 or 
isnotset
 operator with a specified group, 
all rules that affect 
flowbits
 assignment (
set
setx
unset
toggle
) and define a corresponding 
group name are also enabled.
  •
Stream preprocessing must be enabled for the TCP or UDP protocol specified in rules using the 
flowbits
 keyword. If you enable a rule using the 
flowbits
 keyword in an intrusion policy where 
the necessary TCP or UDP stream preprocessing is disabled, you are prompted when you try to save 
your changes whether to allow the system to automatically enable the required TCP or UDP stream 
preprocessing. See 
 for more information.
flowbits Example Using state_name
Consider the IMAP vulnerability described in Bugtraq ID #1110. This vulnerability exists in an 
implementation of IMAP, specifically in the LIST, LSUB, RENAME, FIND, and COPY commands. 
However, to take advantage of the vulnerability, the attacker must be logged into the IMAP server. 
Because the LOGIN confirmation from the IMAP server and the exploit that follows are necessarily in 
different packets, it is difficult to construct non-flow-based rules that catch this exploit. Using the 
flowbits
 keyword, you can construct a series of rules that track whether the user is logged into the 
IMAP server and, if so, generate an event if one of the attacks is detected. If the user is not logged in, 
the attack cannot exploit the vulnerability and no event is generated.
The two rule fragments that follow illustrate this example. The first rule fragment looks for an IMAP 
login confirmation from the IMAP server:
alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK
 
LOGIN"; flowbits:set,logged_in; flowbits:noalert;)
The following diagram illustrates the effect of the 
flowbits
 keyword in the preceding rule fragment:
Note that 
flowbits:set
 sets a state of 
logged_in
, while 
flowbits:noalert
 suppresses the alert because 
you are likely to see many innocuous login sessions on an IMAP server.