Cisco Cisco Firepower Management Center 4000
C H A P T E R
32-1
FireSIGHT System User Guide
32
Understanding and Writing Intrusion Rules
An intrusion rule is a specified set of keywords and arguments that detects attempts to exploit
vulnerabilities on your network by analyzing network traffic to check if it matches the criteria in the rule.
The system compares packets against the conditions specified in each rule and, if the packet data matches
all the conditions specified in a rule, the rule triggers. If a rule is an alert rule, it generates an intrusion
event. If it is a pass rule, it ignores the traffic. You can view and evaluate intrusion events from the
Defense Center web interface.
vulnerabilities on your network by analyzing network traffic to check if it matches the criteria in the rule.
The system compares packets against the conditions specified in each rule and, if the packet data matches
all the conditions specified in a rule, the rule triggers. If a rule is an alert rule, it generates an intrusion
event. If it is a pass rule, it ignores the traffic. You can view and evaluate intrusion events from the
Defense Center web interface.
Caution
Make sure you use a controlled network environment to test any intrusion rules that you write before you
use the rules in a production environment. Poorly written intrusion rules may seriously affect the
performance of your FireSIGHT System.
use the rules in a production environment. Poorly written intrusion rules may seriously affect the
performance of your FireSIGHT System.
Note the following:
•
For a drop rule in an inline deployment, the system drops the packet and generates an event. For
more information on drop rules, see
more information on drop rules, see
.
•
Cisco provides two types of intrusion rules: shared object rules and standard text rules. The Cisco
Vulnerability Research Team (VRT) can use shared object rules to detect attacks against
vulnerabilities in ways that traditional standard text rules cannot. You cannot create shared object
rules. When you write your own intrusion rule, you create a standard text rule.
Vulnerability Research Team (VRT) can use shared object rules to detect attacks against
vulnerabilities in ways that traditional standard text rules cannot. You cannot create shared object
rules. When you write your own intrusion rule, you create a standard text rule.
You can write custom standard text rules to tune the types of events you are likely to see. Note that while
this documentation sometimes discusses rules targeted to detect specific exploits, the most successful
rules target traffic that may attempt to exploit known vulnerabilities rather than specific known exploits.
By writing rules and specifying the rule’s event message, you can more easily identify traffic that
indicates attacks and policy evasions. For more information about evaluating events, see
this documentation sometimes discusses rules targeted to detect specific exploits, the most successful
rules target traffic that may attempt to exploit known vulnerabilities rather than specific known exploits.
By writing rules and specifying the rule’s event message, you can more easily identify traffic that
indicates attacks and policy evasions. For more information about evaluating events, see
.
See the following sections for more information:
•
describes the components, including the rule header and
rule options, that make up a valid standard text rule.
•
provides a detailed description of the parts of a rule header.
•
explains the usage and syntax of the
intrusion rule keywords available in the FireSIGHT System.
•
explains how to build a new rule using the rule editor.
•
explains how to search for existing rules.
•
explains how to display a subset of rules to
help you find specific rules.