Cisco Cisco Firepower Management Center 4000
32-9
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Specifying Direction
License:
Protection
Within the rule header, you can specify the direction that the packet must travel for the rule to inspect it.
The following table describes these options.
The following table describes these options.
See
for more information about the procedures you use to build a rule
header using the rule editor.
Understanding Keywords and Arguments in Rules
License:
Protection
Using the rules language, you can specify the behavior of a rule by combining keywords. Keywords and
their associated values (called arguments) dictate how the system evaluates packets and packet-related
values that the rules engine tests. The FireSIGHT System currently supports keywords that allow you to
perform inspection functions, such as content matching, protocol-specific pattern matching, and
state-specific matching. You can define up to 100 arguments per keyword, and combine any number of
compatible keywords to create highly specific rules. This helps decrease the chance of false positives
and false negatives and focus the intrusion information you receive.
their associated values (called arguments) dictate how the system evaluates packets and packet-related
values that the rules engine tests. The FireSIGHT System currently supports keywords that allow you to
perform inspection functions, such as content matching, protocol-specific pattern matching, and
state-specific matching. You can define up to 100 arguments per keyword, and combine any number of
compatible keywords to create highly specific rules. This helps decrease the chance of false positives
and false negatives and focus the intrusion information you receive.
Note that you can also use adaptive profiles to dynamically adapt active rule processing for specific
packets based on rule metadata and host information. For more information, see
packets based on rule metadata and host information. For more information, see
.
See the following sections for more information:
•
describes the syntax and use of keywords that allow
you to define the event’s message, priority information, and references to external information about
the exploit the rule detects.
the exploit the rule detects.
all ports except a specific port or
range of ports
range of ports
the
!
character before the port, port list, or range of ports you want to
negate
Note that you can logically use negation with all port designations
except
except
any
, which if negated would indicate no port.
!20
all ports defined by a port variable the variable name, in uppercase letter, preceded by
$
See
for more information.
$HTTP_PORTS
all ports except ports defined by a
port variable
port variable
the variable name, in uppercase letter, preceded by
!$
!$HTTP_PORTS
Table 32-3
Source/Destination Port Syntax (continued)
To Specify...
Use
Example
Table 32-4
Directional Options in Rule Headers
Use...
To Test...
Directional
only traffic from the specified source IP address to the specified destination IP address
Bidirectional
all traffic traveling between the specified source and destination IP addresses