Cisco Cisco FirePOWER Appliance 7020
21-17
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
Understanding Rule Categories
License:
Protection
The FireSIGHT System places rules in categories based on the type of traffic the rule detects. On the
Rules page, you can filter by rule category so you can set a rule attribute for all rules in a category. For
example, if you do not have Linux hosts on your network, you might filter by the
Rules page, you can filter by rule category so you can set a rule attribute for all rules in a category. For
example, if you do not have Linux hosts on your network, you might filter by the
os-linux
category and
then disable all the rules showing to disable the entire
os-linux
category.
You can hover your pointer over a category name to display the number of rules in the category.
Note
The Cisco VRT may use the rule update mechanism to add and remove rule categories.
Editing a Rule Filter Directly
License:
Protection
You can edit your filter to modify the special keywords and their arguments that are supplied when you
click on a filter in the filter panel. Custom filters on the Rules page function like those used in the rule
editor, but you can also use any of the keywords supplied in the Rules page filter, using the syntax
displayed when you select the filter through the filter panel. To determine a keyword for future use, click
on the appropriate argument in the filter panel on the right. The filter keyword and argument syntax
appear in the filter text box.
click on a filter in the filter panel. Custom filters on the Rules page function like those used in the rule
editor, but you can also use any of the keywords supplied in the Rules page filter, using the syntax
displayed when you select the filter through the filter panel. To determine a keyword for future use, click
on the appropriate argument in the filter panel on the right. The filter keyword and argument syntax
appear in the filter text box.
To see lists of arguments for keywords which only support specific values, see
. Remember that comma-separated multiple arguments for a keyword are
only supported for the Category and Priority filter types.
You can use keywords and arguments, character strings, and literal character strings in quotes, with
spaces separating multiple filter conditions. A filter cannot include regular expressions, wild card
characters, or any special operator such as a negation character (!), a greater than symbol (>), less than
symbol (<), and so on. When you type in search terms without a keyword, without initial capitalization
of the keyword, or without quotes around the argument, the search is treated as a string search and the
category, message, and SID fields are searched for the specified terms.
spaces separating multiple filter conditions. A filter cannot include regular expressions, wild card
characters, or any special operator such as a negation character (!), a greater than symbol (>), less than
symbol (<), and so on. When you type in search terms without a keyword, without initial capitalization
of the keyword, or without quotes around the argument, the search is treated as a string search and the
category, message, and SID fields are searched for the specified terms.
All keywords, keyword arguments, and character strings are case-insensitive. Except for the
gid
and
sid
keywords, all arguments and strings are treated as partial strings. Arguments for
gid
and
sid
return only
exact matches.
Each rule filter can include one or more keywords in the format:
Rule Overhead
Select the amount of rule overhead to
filter by.
filter by.
Finds rules with the selected rule overhead.
Metadata
Type the metadata key-value pair to
filter by, separated by a space.
filter by, separated by a space.
For example, type
metadata:”service
http”
to locate rules with metadata
relating to the HTTP application
protocol.
protocol.
Find rules with metadata containing the matching
key-value pair.
key-value pair.
Table 21-5
Rule Content Filters (continued)
To use this filter, click...
Then...
Result