Cisco Cisco Firepower Management Center 4000
32-14
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Defining the Event Reference
License:
Protection
You can use the
reference
keyword to add references to external web sites and additional information
about the event. Adding a reference provides analysts with an immediately available resource to help
them identify why the packet triggered a rule. The following table lists some of the external systems that
can provide data on known exploits and attacks.
them identify why the packet triggered a rule. The following table lists some of the external systems that
can provide data on known exploits and attacks.
To specify a reference using the rule editor, select
reference
from the
Detection Options
list, and enter a
value in the corresponding field as follows:
id_system,id
where
id_system
is the system being used as a prefix, and
id
is the Bugtraq ID, CVE number, Arachnids
ID, or URL (without
http://
).
For example, to specify the authentication bypass vulnerability on Microsoft Commerce Server 2002
servers documented in Bugtraq ID 17134, enter the following in the
servers documented in Bugtraq ID 17134, enter the following in the
reference
field:
bugtraq,17134
Note the following when adding references to a rule:
•
Do not use a space after the comma.
•
Do not use uppercase letters in the system ID.
See
for more information about using the rule editor to build rules.
Searching for Content Matches
License:
Protection
Use the
content
keyword to specify content that you want to detect in a packet.The rules engine searches
the packet payload or stream for that string. For example, if you enter
/bin/sh
as the value for the
content
keyword, the rules engine searches the packet payload for the string
/bin/sh
.
Match content using either an ASCII string, hexadecimal content (binary byte code), or a combination
of both. Surround hexadecimal content with pipe characters (|) in the keyword value. For example, you
can mix hexadecimal content and ASCII content using something that looks like
of both. Surround hexadecimal content with pipe characters (|) in the keyword value. For example, you
can mix hexadecimal content and ASCII content using something that looks like
|90C8 C0FF
FFFF|/bin/sh
.
Table 32-6
External Attack Identification Systems
System ID
Description
Example ID
bugtraq
Bugtraq page
8550
cve
Common Vulnerabilities and Exposure page
CAN-2003-0702
mcafee
McAfee page
98574
url
Website reference
www.example.com?exploit=14
msb
Microsoft security bulletin
MS11-082
nessus
Nessus page
10039
secure-url
Secure Website Reference (https://...)
intranet/exploits/exploit=14
Note that you can use
secure-url
with any secure website.