Cisco Cisco FirePOWER Appliance 8250
32-101
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Constructing a Rule
Note
Do not modify the protocol for a shared object rule; doing so would render the rule ineffective.
To modify a rule:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Rule Editor
.
The Rule Editor page appears.
Step 2
Locate the rule or rules you want to modify. You have the following options:
•
To locate rules by browsing rule categories, navigate through the folders to the rule you want and
click the edit icon (
click the edit icon (
) next to the rule.
•
To locate rules by searching for them, enter the search criteria (most simply, the SID) for the rule or
rules you want and click
rules you want and click
Search
. Click a rule returned by the search as appropriate. See
for more information.
•
To locate a rule or rules by filtering the rules displayed on the page, enter a rule filter in the text box
indicated by the filter icon (
indicated by the filter icon (
) at the upper left of the rule list. Navigate to the rule you want and
click the edit icon (
) next to the rule. See
for more information.
The rule editor opens, displaying the rule you selected.
Note that if you select a shared object rule, the rule editor displays only the rule header information. A
shared object rule can be identified on the Rule Editor page by a listing that begins with the number 3
(the GID), for example, 3:1000004.
shared object rule can be identified on the Rule Editor page by a listing that begins with the number 3
(the GID), for example, 3:1000004.
Step 3
Make any modifications to the rule (see
for more information about rule
options) and click
Save As New
.
The rule is saved to the local rule category.
Tip
If you want to use the local modification of the rule instead of the system rule, deactivate the system rule
by using the procedures at
by using the procedures at
and activate the local rule.
Step 4
Activate the intrusion policy by applying it as part of an access control policy as described in
to apply your changes.
Adding Comments to Rules
License:
Protection
You can add comments to any intrusion rule. This allows you to provide additional context and
information about the rule and the exploit or policy violation it identifies.
information about the rule and the exploit or policy violation it identifies.
To add a comment to a rule:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Rule Editor
.