Cisco Cisco Firepower Management Center 4000
32-82
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
To use byte_extract:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select t
byte_extract
in the drop-down list and click
Add Option
.
The
byte_extract
section appears beneath the last keyword you selected.
Initiating Active Responses with Rule Keywords
License:
Protection
The system can initiate active responses to close TCP connections in response to triggered TCP rules or
UDP sessions in response to triggered UDP rules. Two keywords provide you with separate approaches
to initiating active responses. When a packet triggers a rule containing either of the keywords, the system
initiates a single active response. You can also use the
UDP sessions in response to triggered UDP rules. Two keywords provide you with separate approaches
to initiating active responses. When a packet triggers a rule containing either of the keywords, the system
initiates a single active response. You can also use the
config response
command to configure the active
response interface to use and the number of TCP resets to attempt in a passive deployment.
Active responses are most effective in inline deployments because resets are more likely to arrive in time
to affect the connection or session. For example, in response to the
to affect the connection or session. For example, in response to the
react
keyword in an inline
deployment, the system inserts a TCP reset (RST) packet directly into the traffic for each end of the
connection, which normally should close the connection.
connection, which normally should close the connection.
Active responses are not intended to take the place of a firewall for a number of reasons, including that
the system cannot insert packets in passive deployments and an attacker may have chosen to ignore or
circumvent active responses.
the system cannot insert packets in passive deployments and an attacker may have chosen to ignore or
circumvent active responses.
Because active responses can be routed back, the system does not allow TCP resets to initiate TCP resets;
this prevents an unending sequence of active responses. The system also does not allow ICMP
unreachable packets to initiate ICMP unreachable packets in keeping with standard practice.
this prevents an unending sequence of active responses. The system also does not allow ICMP
unreachable packets to initiate ICMP unreachable packets in keeping with standard practice.
You can configure the TCP stream preprocessor to detect additional traffic on a connection or session
after an intrusion rule has triggered an active response. When the preprocessor detects additional traffic,
it sends additional active responses up to a specified maximum to both ends of the connection or session.
See
after an intrusion rule has triggered an active response. When the preprocessor detects additional traffic,
it sends additional active responses up to a specified maximum to both ends of the connection or session.
See
for more information.
Note that to initiate additional TCP resets you must ensure that TCP Stream Configuration is enabled,
and to initiate additional ICMP unreachable packets you must ensure that UDP Stream Configuration is
enabled. See
and to initiate additional ICMP unreachable packets you must ensure that UDP Stream Configuration is
enabled. See
for more information. Note also that initial active
responses do not require that you enable either TCP or UDP Stream Configuration.
See the following sections for information specific to the keywords you can use to initiate active
responses:
responses:
•
byte_test
Offset, Value
See
for more information.
isdataat
Offset
See
for more information.
Table 32-50
Arguments Accepting a byte_extract Variable (continued)
Keyword
Argument