Cisco Cisco FirePOWER Appliance 8390
32-85
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
To send an HTML page that includes the following default message to the client before closing a
connection, leave the
connection, leave the
react
field blank:
You are attempting to access a forbidden site.
Consult your system administrator for details
Setting the Active Response Reset Attempts and Interface
License:
Protection
You can use the
config response
command to further configure the behavior of TCP resets initiated by
resp
and
react
rules. This command also affects the behavior of active responses initiated by drop rules;
see
for more information.
You use the
config response
command by inserting it on a separate line in the USER_CONF advanced
variable. See
for information on using a USER_CONF
variable.
Caution
Do not use the
USER_CONF
advanced variable to configure an intrusion policy feature unless you are
instructed to do so in the feature description or by Support. Conflicting or duplicate configurations will
halt the system.
halt the system.
To specify active response reset attempts, the active response interface, or both:
Access:
Admin/Intrusion Admin
Step 1
Depending on whether you want to specify only the number of active responses, only the active response
interface, or both, insert a form of the
interface, or both, insert a form of the
config response
command on a separate line in the USER_CONF
advanced variable. You have the following choices:
•
To specify only the number of active response attempts, insert the command:
config response: attempts att
For example:
config response: attempts 10
•
To specify only the active response interface, insert the command:
config response: device dev
For example:
config response: device eth0
•
To specify both the number of active response attempts and the active response interface, insert the
command:
command:
config response: attempts att, device dev
For example:
config response: attempts 10, device eth0
where:
att
is the number 1 to 20 of attempts to land each TCP reset packet within the current connection
window so the receiving host accepts the packet. This sequence strafing is useful only in passive
deployments; in inline deployments, the system inserts reset packets directly into the stream in place
of triggering packets. the system sends only 1 ICMP reachable active response.
deployments; in inline deployments, the system inserts reset packets directly into the stream in place
of triggering packets. the system sends only 1 ICMP reachable active response.
dev
is an alternate interface where you want the system to send active responses in a passive
deployment or insert active responses in an inline deployment.