Cisco Cisco FirePOWER Appliance 8250
32-43
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Analysts most frequently watch for strict and loose source routing because these options may be an
indication of a spoofed source IP address.
indication of a spoofed source IP address.
Identifying Specified IP Protocol Numbers
License:
Protection
The
ip_proto
<
,
>
, or
!
. For example, to inspect traffic with any protocol that
is not ICMP, use
!1
as a value to the
ip_proto
keyword. You can also use the
ip_proto
keyword multiple
times in a single rule; note, however, that the rules engine interprets multiple instances of the keyword
as having a Boolean AND relationship. For example, if you create a rule containing
as having a Boolean AND relationship. For example, if you create a rule containing
ip_proto:!3;
ip_proto:!6
, the rule ignores traffic using the GGP protocol AND the TCP protocol.
Inspecting a Packet’s Type of Service
License:
Protection
Some networks use the type of service (ToS) value to set precedence for packets traveling on that
network. The
network. The
tos
keyword allows you to test the packet’s IP header ToS value against the value you
specify as the keyword’s argument. Rules using the
tos
keyword will trigger on packets whose ToS is
set to the specified value and that meet the rest of the criteria set forth in the rule.
Note
Argument values for
tos
must be numeric.
The ToS field has been deprecated in the IP header protocol and replaced with the Differentiated Services
Code Point (DSCP) field.
Code Point (DSCP) field.
Inspecting a Packet’s Time-To-Live Value
License:
Protection
Table 32-24
IPoption Arguments
Argument
Description
rr
record route
eol
end of list
nop
no operation
ts
time stamp
sec
IP security option
lsrr
loose source routing
ssrr
strict source routing
satid
stream identifier