Cisco Cisco Firepower Management Center 4000

32-106

FireSIGHT System User Guide

Chapter 32 Understanding and Writing Intrusion Rules

Filtering Rules on the Rule Editor Page

Using Character Strings in a Rule Filter

License:

Protection

Each rule filter can include one or more alphanumeric character strings. Character strings search the rule

Message

field, Signature ID, and Generator ID. For example, the string

123

returns the strings

"Lotus123"

"123mania"

, and so on in the rule message, and also returns SID 6123, SID 12375, and so

on. For information on the rule

Message

field, see

Defining the Event Message, page 32-11

. For

information on rule SIDs and GIDs, see

Reading Preprocessor Generator IDs, page 22-8

All character strings are case-insensitive and are treated as partial strings. For example, any of the strings

ADMIN

admin

, or

Admin

return

"admin"

"CFADMIN"

"Administrator"

and so on.

Table 32-60

Rule Filter Keywords

Keyword

Description

Example

arachnids

Returns one or more rules based on all or part of the Arachnids ID
in a rule reference. See

Defining the Event Reference, page 32-14

for more information.

arachnids:181

bugtraq

Returns one or more rules based on all or part of the Bugtraq ID
in a rule reference. See

Defining the Event Reference, page 32-14

for more information.

bugtraq:2120

cve

Returns one or more rules based on all or part of the CVE number
in a rule reference. See

Defining the Event Reference, page 32-14

for more information.

cve:2003-0109

gid

The argument

returns standard text rules. The argument

returns

shared object rules. See

Reading Preprocessor Generator IDs,

page 22-8

and the

Rule Types

table for more information.

gid:3

mcafee

Returns one or more rules based on all or part of the McAfee ID
in a rule reference. See

Defining the Event Reference, page 32-14

for more information.

mcafee:10566

msg

Returns one or more rules based on all or part of the rule Message
field, also known as the event message. See

Defining the Event

Message, page 32-11

for more information.

msg:chat

nessus

Returns one or more rules based on all or part of the Nessus ID in
a rule reference. See

Defining the Event Reference, page 32-14

for more information.

nessus:10737

ref

Returns one or more rules based on all or part of a single
alphanumeric string in a rule reference or in the rule Message
field. See

Defining the Event Reference, page 32-14

and

Defining

the Event Message, page 32-11

for more information.

ref:MS03-039

sid

Returns the rule with the exact Signature ID. See

Reading

Preprocessor Generator IDs, page 22-8

for more information.

sid:235

url

Returns one or more rules based on all or part of the URL in a rule
reference. See

Defining the Event Reference, page 32-14

for more

information.

url:faqs.org