Cisco Cisco FirePOWER Appliance 8270
32-40
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Avoiding Reserved Metadata
License:
Protection
Avoid using the following words in a
metadata
keyword, either as a single argument or as the key in a
key value
statement; these are reserved for use by the VRT:
application
engine
impact_flag
os
policy
rule-type
rule-flushing
soid
Note
Contact Support for assistance in adding restricted metadata to local rules that might not otherwise
function as expected. See
function as expected. See
for more information.
Searching for Rules with Metadata
License:
Protection
To search for rules that use the
metadata
keyword, select the
metadata
keyword on the rules Search page
and, optionally, type any portion of the metadata. For example, you can type:
•
author
to display all rules where you have used
author
for
key
.
•
author snortguru
to display all rules where you have used
author
for
key
and
SnortGuru
for
value
.
finger
Finger user information protocol
ftp
File Transfer Protocol
ftp-data
File Transfer Protocol (Data Channel)
http
Hypertext Transfer Protocol
imap
Internet Message Access Protocol
isakmp
Internet Security Association and Key Management Protocol
netbios-dgm
NETBIOS Datagram Service
netbios-ns
NETBIOS Name Service
netbios-ssn
NETBIOS Session Service
nntp
Network News Transfer Protocol
oracle
Oracle Net Services
pop2
Post Office Protocol, version 2
pop3
Post Office Protocol, version 3
smtp
Simple Mail Transfer Protocol
ssh
Secure Shell network protocol
telnet
Telnet network protocol
tftp
Trivial File Transfer Protocol
x11
X Window System
Table 32-21
service Values (continued)
Value
Description