Cisco Cisco FirePOWER Appliance 7010
5-16
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Variable Sets
•
Use Shift and Ctrl keys to select multiple individual applications. Right-click to
Select All
currently
displayed individual applications.
•
To refresh the applications list and clear any selected applications, click the reload icon (
).
You cannot select individual applications and
All apps matching the filter
at the same time.
Step 7
Add the selected applications to the filter. You can click and drag, or you can click
Add to Rule
.
The result is the combination of:
•
the selected Application Filters
•
either the selected individual Available Applications, or
All apps matching the filter
You can add up to 50 applications and filters to the filter. To delete an application or filter from the
selected applications, click the appropriate delete icon (
selected applications, click the appropriate delete icon (
). You can also select one or more
applications and filters, or right click to
Select All
, then right-click to
Delete Selected
.
Step 8
Click
Save
.
The application filter is saved.
Working with Variable Sets
License:
Protection
Variables represent values commonly used in intrusion rules to identify source and destination IP
addresses and ports. You can also use variables in intrusion policies to represent IP addresses in rule
suppressions, adaptive profiles, and dynamic rule states.
addresses and ports. You can also use variables in intrusion policies to represent IP addresses in rule
suppressions, adaptive profiles, and dynamic rule states.
Tip
Preprocessor rules can trigger events regardless of the hosts defined by network variables used in
intrusion rules.
intrusion rules.
You use variable sets to manage, customize, and group your variables. You can use the default variable
set provided by Cisco or create your own custom sets. Within any set you can modify predefined default
variables and add and modify user-defined variables.
set provided by Cisco or create your own custom sets. Within any set you can modify predefined default
variables and add and modify user-defined variables.
Most of the shared object rules and standard text rules that the FireSIGHT System provides use
predefined default variables to define networks and port numbers. For example, the majority of the rules
use the variable
predefined default variables to define networks and port numbers. For example, the majority of the rules
use the variable
$HOME_NET
to specify the protected network and the variable
$EXTERNAL_NET
to specify
the unprotected (or outside) network. In addition, specialized rules often use other predefined variables.
For example, rules that detect exploits against web servers use the
For example, rules that detect exploits against web servers use the
$HTTP_SERVERS
and
$HTTP_PORTS
variables.
Rules are more effective when variables more accurately reflect your network environment. At a
minimum, you should modify default variables in the default set as described in
minimum, you should modify default variables in the default set as described in
. By ensuring that a variable such as
$HOME_NET
correctly defines your
network and
$HTTP_SERVERS
includes all web servers on your network, processing is optimized and all
relevant systems are monitored for suspicious activity.
To use your variables, you link variable sets to intrusion policies associated with access control rules or
with the default action of an access control policy. By default, the default variable set is linked to all
intrusion policies used by access control policies.
with the default action of an access control policy. By default, the default variable set is linked to all
intrusion policies used by access control policies.
See the following sections for more information: