Cisco Cisco FirePOWER Appliance 7030
32-84
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
See
for information on using the
config response
command to configure the active response interface to use and the number of TCP
resets to attempt in a passive deployment.
To specify active responses:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
resp
in the drop-down list and click
Add Option.
The
resp
keyword appears.
Step 2
Specify any of the arguments in the
table in the
resp
field; use a comma-separated list
to specify multiple arguments.
Sending an HTML Page Before a TCP Reset
License:
Protection
You can use the
react
keyword to send a default HTML page to the TCP connection client when a packet
triggers the rule; after sending the HTML page, the system uses TCP reset packets to initiate active
responses to both ends of the connection. The
responses to both ends of the connection. The
react
keyword does not trigger active responses for UDP
traffic.
Optionally, you can specify the following argument:
msg
When a packet triggers a
react
rule that uses the
msg
argument, the HTML page includes the rule event
message. See
for a description of the event message field.
If you do not specify the
msg
argument, the HTML page includes the following message:
You are attempting to access a forbidden site.
Consult your system administrator for details.
Note
Because active responses can be routed back, ensure that the HTML response page does not trigger a
react
rule; this could result in an unending sequence of active responses. Cisco recommends that you
test
react
rules extensively before activating them in a production environment.
See
for information on using the
config response
command to configure the active response interface to use and the number of TCP
resets to attempt in a passive deployment.
To send an HTML page before initiating an active responses:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
react
in the drop-down list and click
Add Option.
The
react
keyword appears.
Step 2
You have two choices:
•
To send an HTML page that includes the event message configured for the rule to the client before
closing a connection, type
closing a connection, type
msg
in the
react
field.