Cisco Cisco FirePOWER Appliance 7010
32-66
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
To specify GTP message types:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
gtp_type
in the drop-down list and click
Add Option.
The
gtp_type
keyword appears.
Step 2
Specify a defined decimal value 0 to 255 for the message type, a defined string, or a comma-separated
list of either or both in any combination. See the
list of either or both in any combination. See the
table for values and strings
recognized by the system.
gtp_info
A GTP message can include multiple information elements, each of which is identified by both a defined
numeric value and a defined string. You can use the
numeric value and a defined string. You can use the
gtp_info
keyword in combination with the
gtp_version
keyword to start inspection at the beginning of a specified information element and restrict
inspection to the specified information element.
You can specify either the defined decimal value or the defined string for an information element. You
can specify a single value or string, and you can use multiple
can specify a single value or string, and you can use multiple
gtp_info
keywords in a rule to inspect
multiple information elements.
When a message includes multiple information elements of the same type, all are inspected for a match.
When information elements occur in an invalid order, only the last instance is inspected.
When information elements occur in an invalid order, only the last instance is inspected.
Note that different GTP versions sometimes use different values for the same information element. For
example, the
example, the
cause
information element has a value of 1 in GTPv0 and GTPv1, but a value of 2 in
GTPv2.
The
gtp_info
keyword matches different values depending on the version number in the packet. In the
example above, the keyword matches the information element value 1 in a GTPv0 or GTPv1 packet and
the value 2 in a GTPv2 packet. The keyword does not match a packet when the information element value
in the packet is not a known value for the version specified in the packet.
the value 2 in a GTPv2 packet. The keyword does not match a packet when the information element value
in the packet is not a known value for the version specified in the packet.
If you specify an integer for the information element, the keyword matches if the message type in the
keyword matches the value in the GTP packet, regardless of the version specified in the packet.
keyword matches the value in the GTP packet, regardless of the version specified in the packet.
232
N/A
N/A
mbms_session_start_response
233
N/A
N/A
mbms_session_update_request
234
N/A
N/A
mbms_session_update_response
235
N/A
N/A
mbms_session_stop_request
236
N/A
N/A
mbms_session_stop_response
240
data_record_transfer_request
data_record_transfer_request
N/A
241
data_record_transfer_response
data_record_transfer_response
N/A
254
N/A
end_marker
N/A
255
pdu
pdu
N/A
Table 32-40
GTP Message Types (continued)
Value Version 0
Version 1
Version 2