Cisco Cisco FirePOWER Appliance 7030
32-8
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Rule Headers
Note
You must use brackets to negate a list of IP addresses.
Be careful when using the negation character with IP address lists. For example, if you use
[!192.168.1.1,!192.168.1.5]
to match any address that is not 192.168.1.1 or 192.168.1.5,
the system
interprets this syntax as “anything that is not 192.168.1.1, or anything that is not 192.168.1.5.”
Because 192.168.1.5 is not 192.168.1.1, and 192.168.1.1 is not 192.168.1.5, both IP addresses match the
IP address value of
IP address value of
[!192.168.1.1,!192.168.1.5]
, and it is essentially the same as using “
any
.”
Instead, use
![192.168.1.1,192.168.1.5]
. The system interprets this as “not 192.168.1.1 and not
192.168.1.5,” which matches any IP address other than those listed between brackets.
Note that you cannot logically use negation with
any
which, if negated, would indicate no address.
Defining Ports in Intrusion Rules
License:
Protection
Within the rule editor, you specify source and destination ports in the
Source Port
and
Destination Port
for more information about the procedures you use to build
a rule header using the rule editor.
The FireSIGHT System uses a specific type of syntax to define the port numbers used in rule headers.
Note
The system ignores port definitions in an intrusion rule header when the protocol is set to
ip
. For more
information, see
.
You can list ports by separating the ports with commas, as shown in the following example:
80, 8080, 8138, 8600-9000, !8650-8675
Optionally, the following example shows how you can surround a port list with brackets, which was
required in previous software versions but is no longer required:
required in previous software versions but is no longer required:
[80, 8080, 8138, 8600-9000, !8650-8675]
Note that you must surround negated port lists in brackets, as shown in the following example:
![20, 22, 23]
Note also that a list of source or destination ports in an intrusion rule can include a maximum of 64
characters.
characters.
The following table summarizes the syntax you can use:
Table 32-3
Source/Destination Port Syntax
To Specify...
Use
Example
any port
any
any
a specific port
the port number
80
a range of ports
a dash between the first and last port number in the range
80-443
all ports less than or equal to a
specific port
specific port
a dash before the port number
-21
all ports greater than or equal to a
specific port
specific port
a dash after the port number
80-