Cisco Cisco Firepower Management Center 2000
32-41
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
•
author s
to display all rules where you have used
author
for
key
and any terms such as
SnortGuru
or
SnortUser1
or
SnortUser2
for
value
.
Tip
When you search for both
key
and
value
, use the same connecting operator (equal to [=] or a space
character) in searches that is used in the
key value
statement in the rule; searches return different results
depending on whether you follow
key
with equal to (=) or a space character.
Note that regardless of the format you use to add metadata, the system interprets your metadata search
term as all or part of a
term as all or part of a
key value
or
key=value
statement. For example, the following would be valid
metadata that does not follow a
key value
or
key=value
format:
ab cd ef gh
However, the system would interpret each space in the example as a separator between a key and value.
Thus, you could successfully locate a rule containing the example metadata using any of the following
searches for juxtaposed and single terms:
Thus, you could successfully locate a rule containing the example metadata using any of the following
searches for juxtaposed and single terms:
cd ef
ef gh
ef
but you would not locate the rule using the following search, which the system would interpret as a single
key value
statement:
ab ef
For more information, see
Setting Impact Level 1
License:
Protection
You can use the following reserved
key value
statement in a
metadata
keyword:
impact_flag red
This
key value
statement sets the impact flag to red (level 1) for a local rule you import or a custom rule
you create using the rule editor.
Note that when the Cisco Vulnerability Research Team (VRT) includes the
impact_flag red
statement
in a rule provided by Cisco, VRT has determined that a packet triggering the rule indicates that the source
or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
See
or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
See
Inspecting IP Header Values
License:
Protection
You can use keywords to identify possible attacks or security policy violations in the IP headers of
packets. See the following sections for more information:
packets. See the following sections for more information:
•
•
•
•
•
•