Cisco Cisco FirePOWER Appliance 8390
32-61
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
A three-digit status code in each SIP response indicates the outcome of the requested action. You can
use the
use the
sip_stat_code
keyword to test SIP responses for specific status codes.
You can specify a one-digit response-type number 1-9, a specific three-digit number 100-999, or a
comma-separated list of any combination of either. A list matches if any single number in the list
matches the code in the SIP response.
comma-separated list of any combination of either. A list matches if any single number in the list
matches the code in the SIP response.
The following table describes the SIP status code values you can specify.
Note that the SIP preprocessor must be enabled to allow processing of rules using the
sip_stat_code
keyword. When the SIP preprocessor is disabled and you enable rules that use this keyword, you are
prompted whether to enable the preprocessor when you save the policy. See
prompted whether to enable the preprocessor when you save the policy. See
Note also that the rules engine does not use the fast pattern matcher to search for the value specify using
the
the
sip_stat_code
keyword, regardless of whether your rule includes a
content
keyword.
GTP Keywords
License:
Protection
Three GSRP Tunneling Protocol (GTP) keywords allow you to inspect the GTP command channel for
GTP version, message type, and information elements. You cannot use GTP keywords in combination
with other intrusion rule keywords such as
GTP version, message type, and information elements. You cannot use GTP keywords in combination
with other intrusion rule keywords such as
content
or
byte_jump
. You must use the
gtp_version
keyword in each rule that uses the
gtp_info
or
gtp_type
keyword.
The GTP preprocessor must be enabled to allow processing of rules using GTP keywords. When the GTP
preprocessor is disabled and you enable rules that use these keywords, you are prompted whether to
enable the preprocessor when you save the policy. See
preprocessor is disabled and you enable rules that use these keywords, you are prompted whether to
enable the preprocessor when you save the policy. See
See the following sections for more information:
•
•
•
gtp_version
You can use the
gtp_version
keyword to inspect GTP control messages for GTP version 0, 1, or 2.
Because different GTP versions define different message types and information elements, you must use
this keyword when you use the
this keyword when you use the
gtp_type
or
gtp_info
keyword. You can specify the value 0, 1, or 2.
Table 32-39
sip_stat_code
Values
To detect...
Specify...
For example... Detects...
a specific status code
the three-digit status code
189
189
any three-digit code that
begins with a specified
single digit
begins with a specified
single digit
the single digit
1
1xx; that is, 100,
101, 102, and so on
101, 102, and so on
a list of values
any comma-separated combination
of specific codes and single digits
of specific codes and single digits
222, 3
222 plus 300, 301,
302, and so on
302, and so on