Cisco Cisco FirePOWER Appliance 8130
32-102
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Constructing a Rule
The Rule Editor page appears.
Step 2
Locate the rule you want to annotate. You have the following options:
•
To locate a rule by browsing rule categories, navigate through the folders to the rule you want and
click the edit icon (
click the edit icon (
) next to the rule.
•
To locate a rule by searching for it, enter the search criteria (most simply, the SID) for the rule you
want and click
want and click
Search
. Click the rule returned by the search as appropriate. See
for more information.
•
To locate a rule by filtering the rules displayed on the page, enter a rule filter in the text box, which
is indicated by the filter icon (
is indicated by the filter icon (
), at the upper left of the rule list. Navigate to the rule you want
and click the edit icon (
) next to the rule. See
for more information.
The rule editor appears.
Step 3
Click
Rule Comment
.
The Rule Comment page appears.
Step 4
Enter your comment in the text box and click
Add Comment
.
The comment is saved in the comment text box.
Tip
You can also add and view rule comments in an intrusion event’s packet view. For more information, see
Deleting Custom Rules
License:
Protection
You can delete custom rules that are not currently enabled in an intrusion policy. You cannot delete either
standard text rules or shared object rules rules provided by Cisco.
standard text rules or shared object rules rules provided by Cisco.
The system stores deleted rules in the deleted category, and you can use a deleted rule as the basis for a
new rule. See
new rule. See
for information on editing rules.
The Rules page in an intrusion policy does not display the deleted category, so you cannot enable deleted
custom rules.
custom rules.
Note that you can also delete all local rules on the Rule Updates page. See, for example,
.
See the following sections for more information:
•
For information on creating custom rules, see
•
For information on importing local rules, see
•
For information on setting rule states, see
To delete custom rules:
Access:
Admin/Intrusion Admin