Cisco Cisco FirePOWER Appliance 8250
32-76
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The following list provides the string syntax recognized by the system for defined DNP3 internal
indications flags.
indications flags.
class_1_events
class_2_events
class_3_events
need_time
local_control
device_trouble
device_restart
no_func_code_support
object_unknown
parameter_error
event_buffer_overflow
already_executing
config_corrupt
reserved_2
reserved_1
To specify DNP3 internal indications flags:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
dnp3_ind
in the drop-down list and click
Add Option.
The
dnp3_ind
keyword appears.
Step 2
You can specify the string for a single known flag or a comma-separated list of flags.
dnp3_obj
You can use the
dnp3_obj
keyword to match against DNP3 object headers in a request or response.
DNP3 data is comprised of a series of DNP3 objects of different types such as analog input, binary input,
and so on. Each type is identified with a group such as analog input group, binary input group, and so
on, each of which can be identified by a decimal value. The objects in each group are further identified
by an object variation such as 16-bit integers, 32-bit integers, short floating point, and so on, each of
which specifies the data format of the object. Each type of object variation can also be identified by a
decimal value.
and so on. Each type is identified with a group such as analog input group, binary input group, and so
on, each of which can be identified by a decimal value. The objects in each group are further identified
by an object variation such as 16-bit integers, 32-bit integers, short floating point, and so on, each of
which specifies the data format of the object. Each type of object variation can also be identified by a
decimal value.
You identify object headers by specifying the decimal number for the type of object header group and
the decimal number for the type of object variation. The combination of the two defines a specific type
of DNP3 object.
the decimal number for the type of object variation. The combination of the two defines a specific type
of DNP3 object.
To specify a DNP3 object:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
dnp3_obj
in the drop-down list and click
Add Option.
The
dnp3_obj
keyword appears.
Step 2
Specify a decimal value 0 through 255 to identify a known object group, and another decimal value 0
through 255 to identify a known object variation type.
through 255 to identify a known object variation type.