Cisco Cisco FirePOWER Appliance 8130
32-45
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
icmp_seq
The
icmp_seq
keyword inspects an ICMP echo request or reply packet's ICMP sequence. Use a numeric
value that corresponds with the ICMP sequence number as the argument for the
icmp_seq
keyword.
Inspecting the ICMP Message Type
License:
Protection
Use the
itype
either a valid ICMP type value (see http://www.iana.org/assignments/icmp-parameters or
http://www.faqs.org/rfcs/rfc792.html for a full list of ICMP type numbers) or an invalid ICMP type value
to test for different types of traffic. For example, attackers may set ICMP type values out of range to
cause denial of service and flooding attacks.
http://www.faqs.org/rfcs/rfc792.html for a full list of ICMP type numbers) or an invalid ICMP type value
to test for different types of traffic. For example, attackers may set ICMP type values out of range to
cause denial of service and flooding attacks.
You can specify a range for the
itype
argument value using less than (<) and greater than (>).
For example:
•
<35
•
>36
•
3<>55
Tip
See http://www.iana.org/assignments/icmp-parameters or http://www.faqs.org/rfcs/rfc792.html for a
full list of ICMP type numbers.
full list of ICMP type numbers.
Inspecting the ICMP Message Code
License:
Protection
You can use the
icode
keyword to identify packets with specific ICMP code values. You can choose to
specify either a valid ICMP code value or an invalid ICMP code value to test for different types of traffic.
You can specify a range for the
icode
argument value using less than (<) and greater than (>).
For example:
•
to find values less than 35, specify
<35.
•
to find values greater than 36, specify
>36.
•
to find values between 3 and 55, specify
3<>55.
Tip
You can use the
icode
and
itype
keywords together to identify traffic that matches both. For example,
to identify ICMP traffic that contains an ICMP Destination Unreachable code type with an ICMP Port
Unreachable code type, specify an
Unreachable code type, specify an
itype
keyword with a value of 3 (for Destination Unreachable) and
an
icode
keyword with a value of 3 (for Port Unreachable).