Cisco Cisco Firepower Management Center 4000
32-100
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Constructing a Rule
Step 8
In the
Source Port
field, enter the originating port numbers for traffic that should trigger the rule. In the
Destination Port
field, enter the receiving port numbers for traffic that should trigger the rule.
Note
The system ignores port definitions in an intrusion rule header when the protocol is set to
ip
.
For more detailed information about the port syntax that the rule editor accepts, see
Step 9
From the
Direction
list, select the operator that indicates which direction of traffic you want to trigger the
rule. You can use one of the following:
•
Directional
to match traffic that moves from the source IP address to the destination IP address
•
Bidirectional
to match traffic that moves in either direction
Step 10
From the
Detection Options
list, select the keyword that you want to use.
Step 11
Click
Add Option
.
Step 12
Enter any arguments that you want to specify for the keyword you added. For more information about
rule keywords and how to use them, see
rule keywords and how to use them, see
.
When adding keywords and arguments, you can also perform the following:
•
To reorder keywords after you add them, click the up or down arrow next to the keyword you want
to move.
to move.
•
To delete a keyword, click the
X
next to that keyword.
Repeat steps
through
for each keyword option you want to add.
Step 13
Click
Save As New
to save the rule.
The system assigns the rule the next available Snort ID (SID) number in the rule number sequence for
local rules and saves it in the local rule category.
local rules and saves it in the local rule category.
The system does not begin evaluating traffic against new or changed rules until you enable them within
the appropriate intrusion policy, and then apply the intrusion policy as part of an access control policy.
See
the appropriate intrusion policy, and then apply the intrusion policy as part of an access control policy.
See
for more information.
Modifying Existing Rules
License:
Protection
You can modify custom standard text rules. You can also modify a standard text rule or shared object
rule provided by Cisco and create one or more new instances of the rule by saving it.
rule provided by Cisco and create one or more new instances of the rule by saving it.
Creating a rule or modifying a Cisco rule copies the new rule or revision to the local rule category and
assigns the rule the next available Snort ID (SID) greater than 100000.
assigns the rule the next available Snort ID (SID) greater than 100000.
You can only modify header information for a shared object rule. You cannot modify the rule keywords
used in a shared object rule or their arguments. Modifying header information for a shared object rule
and saving your changes creates a new instance of the rule with a generator ID (GID) of 3 and the next
available SID for a custom rule. The Rule Editor links the new instance of the shared object rule to the
reserved
used in a shared object rule or their arguments. Modifying header information for a shared object rule
and saving your changes creates a new instance of the rule with a generator ID (GID) of 3 and the next
available SID for a custom rule. The Rule Editor links the new instance of the shared object rule to the
reserved
soid
keyword, which maps the rule you create to the rule created by the Cisco Vulnerability
Research Team (VRT). You can delete instances of a shared object rule that you create, but you cannot
delete shared object rules provided by Cisco. See
delete shared object rules provided by Cisco. See
for more information.