Cisco Cisco Firepower Management Center 4000
32-99
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Constructing a Rule
In a custom standard text rule, you set the rule header settings and the rule keywords and arguments.
Optionally, you can use the rule header settings to focus the rule to only match traffic using a specific
protocol and traveling to or from specific IP addresses or ports.
Optionally, you can use the rule header settings to focus the rule to only match traffic using a specific
protocol and traveling to or from specific IP addresses or ports.
After you create a new rule, you can find it again quickly using the rule number, which has the format
GID:SID:Rev
. The rule number for all standard text rules starts with 1. The second part of the rule
number, the Snort ID (SID) number, indicates whether the rule is a local rule or a rule provided by Cisco.
When you create a new rule, the system assigns the rule the next available Snort ID number for a local
rule and saves the rule in the local rule category. Snort ID numbers for local rules start at 1,000,000
(although intrusion rules created on the secondary Defense Center in a high availability pair begin with
the number 1,000,000,000) and the SID for each new local rule is incremented by one. The last part of
the rule number is the revision number. For a new rule, the revision number is one. Each time you modify
a custom rule the revision number increments by one.
When you create a new rule, the system assigns the rule the next available Snort ID number for a local
rule and saves the rule in the local rule category. Snort ID numbers for local rules start at 1,000,000
(although intrusion rules created on the secondary Defense Center in a high availability pair begin with
the number 1,000,000,000) and the SID for each new local rule is incremented by one. The last part of
the rule number is the revision number. For a new rule, the revision number is one. Each time you modify
a custom rule the revision number increments by one.
Note
The system assigns a new SID to any custom rule in an intrusion policy that you import. For more
information, see
information, see
To write a custom standard text rule using the rule editor:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Rule Editor
.
The Rule Editor page appears.
Step 2
Click
Create Rule
.
The Create Rule page appears.
Step 3
In the
Message
field, enter the message you want displayed with the event.
For details on event messages, see
.
Tip
You must specify a rule message. Also, the message cannot consist of white space only, one or more
quotation marks only, one or more apostrophes only, or any combination of just white space, quotation
marks, or apostrophes.
quotation marks only, one or more apostrophes only, or any combination of just white space, quotation
marks, or apostrophes.
Step 4
From the
Classification
list, select a classification to describe the type of event.
For details on available classifications, see
.
Step 5
From the
Action
list, select the type of rule you would like to create. You can use one of the following:
•
Select
alert
to create a rule that generates an event when traffic triggers the rule.
•
Select
pass
to create a rule that ignores traffic that triggers the rule.
Step 6
From the
Protocol
list, select the traffic protocol (
tcp
,
udp
,
icmp
, or
ip
) of packets you want the rule to
inspect.
For more information about selecting a protocol type, see
.
Step 7
In the
Source IPs
field, enter the originating IP address or address block for traffic that should trigger the
rule. In the
Destination IPs
field, enter the destination IP address or address block for traffic that should
trigger the rule.
For more detailed information about the IP address syntax that the rule editor accepts, see