Manualsbrain.com
  1. Manuales
  2. Marcas
  3. Cisco
  4. Cisco Firepower Management Center 4000

Cisco Cisco Firepower Management Center 4000

Descargar
Página de 1844
 
32-8
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules 
  Understanding Rule Headers
Note
You must use brackets to negate a list of IP addresses.
Be careful when using the negation character with IP address lists. For example, if you use 
[!192.168.1.1,!192.168.1.5]
 to match any address that is not 192.168.1.1 or 192.168.1.5,
 
the system 
interprets this syntax as “anything that is not 192.168.1.1, or anything that is not 192.168.1.5.”
Because 192.168.1.5 is not 192.168.1.1, and 192.168.1.1 is not 192.168.1.5, both IP addresses match the 
IP address value of 
[!192.168.1.1,!192.168.1.5]
, and it is essentially the same as using “
any
.”
Instead, use 
![192.168.1.1,192.168.1.5]
. The system interprets this as “not 192.168.1.1 and not 
192.168.1.5,” which matches any IP address other than those listed between brackets.
Note that you cannot logically use negation with 
any
 which, if negated, would indicate no address.
Defining Ports in Intrusion Rules
License: 
Protection
Within the rule editor, you specify source and destination ports in the 
Source Port
 and 
Destination Port
 
 for more information about the procedures you use to build 
a rule header using the rule editor.
The FireSIGHT System uses a specific type of syntax to define the port numbers used in rule headers.
Note
The system ignores port definitions in an intrusion rule header when the protocol is set to 
ip
. For more 
information, see 
.
You can list ports by separating the ports with commas, as shown in the following example:
80, 8080, 8138, 8600-9000, !8650-8675
Optionally, the following example shows how you can surround a port list with brackets, which was 
required in previous software versions but is no longer required:
[80, 8080, 8138, 8600-9000, !8650-8675]
Note that you must surround negated port lists in brackets, as shown in the following example:
![20, 22, 23]
Note also that a list of source or destination ports in an intrusion rule can include a maximum of 64 
characters.
The following table summarizes the syntax you can use:
Table 32-3
Source/Destination Port Syntax  
To Specify...
Use
Example
any port
any
any
a specific port
the port number
80
a range of ports
a dash between the first and last port number in the range
80-443
all ports less than or equal to a 
specific port 
a dash before the port number
-21
all ports greater than or equal to a 
specific port 
a dash after the port number
80-