Cisco Cisco FirePOWER Appliance 7010
32-107
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Filtering Rules on the Rule Editor Page
You can enclose character strings in quotes to return exact matches. For example, the literal string
"overflow attempt"
in quotes returns only that exact string, whereas a filter comprised of the two
strings
overflow
and
attempt
without quotes returns
"overflow attempt"
,
"overflow multipacket
attempt"
,
"overflow with evasion attempt"
, and so on.
Combining Keywords and Character Strings in a Rule Filter
License:
Protection
You can narrow filter results by entering any combination of keywords, character strings, or both,
separated by spaces. The result includes any rule that matches all the filter conditions.
separated by spaces. The result includes any rule that matches all the filter conditions.
You can enter multiple filter conditions in any order. For example, each of the following filters returns
the same rules:
the same rules:
•
url:at login attempt cve:200
•
login attempt cve:200 url:at
•
login cve:200 attempt url:at
Filtering Rules
License:
Protection
You can filter the rules on the Rule Editor page to display a subset of rules so you can more easily find
specific rules. You can then use any of the page features, including selecting any of the features available
in the context menu.
specific rules. You can then use any of the page features, including selecting any of the features available
in the context menu.
To filter for specific rules:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Rule Editor
.
The Rule Editor page appears.
Rule filtering can be particularly useful on the Rule Editor page when you want to locate a rule to edit
it. See
it. See
for more information.
Step 2
Optionally, select a different grouping method from the Group Rules By list.
Tip
Filtering may take significantly longer when the combined total of rules in all sub-groups is large
because rules appear in multiple categories, even when the total number of unique rules is much smaller.
because rules appear in multiple categories, even when the total number of unique rules is much smaller.
Step 3
Optionally, click the folder next to any group that you want to expand.
The folder expands to show the rules in that group. Note that some rule groups have sub-groups that you
can also expand.
can also expand.
Note also that expanding a group on the original, unfiltered page can be useful when you expect that a
rule might be in that group. The group remains expanded when the subsequent filter results in a match
in that folder, and when you return to the original, unfiltered page by clicking on the filter clearing icon
(
rule might be in that group. The group remains expanded when the subsequent filter results in a match
in that folder, and when you return to the original, unfiltered page by clicking on the filter clearing icon
(
).
Step 4
To activate the filter text box, click to the right of the filter icon (
) that is inside the text box at the
upper left of the rule list.