Cisco Cisco FirePOWER Appliance 8360
32-42
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Inspecting Fragments and Reserved Bits
License:
Protection
The
fragbits
keyword inspects the fragment and reserved bits in the IP header. You can check each
packet for the Reserved Bit, the More Fragments bit, and the Don't Fragment bit in any combination.
To further refine a rule using the
fragbits
keyword, you can specify any operator described in the
following table after the argument value in the rule.
For example, to generate an event against packets that have the Reserved Bit set (and possibly any other
bits), use
bits), use
R+
as the
fragbits
value.
Inspecting the IP Header Identification Value
License:
Protection
The
id
keyword tests the IP header fragment identification field against the value you specify in the
keyword’s argument. Some denial-of-service tools and scanners set this field to a specific number that
is easy to detect. For example, in SID 630, which detects a Synscan portscan, the
is easy to detect. For example, in SID 630, which detects a Synscan portscan, the
id
value is set to
39426
,
the static value used as the ID number in packets transmitted by the scanner.
Note
id
argument values must be numeric.
Identifying Specified IP Options
License:
Protection
The
IPopts
keyword allows you to search packets for specified IP header options. The following table
lists the available argument values.
Table 32-22
Fragbits Argument Values
Argument
Description
R
Reserved bit
M
More Fragments bit
D
Don’t Fragment bit
Table 32-23
Fragbit Operators
Operator
Description
plus sign (
+
)
The packet must match against all specified bits.
asterisk (
*
)
The packet can match against any of the specified bits.
exclamation point (
!
)
The packet meets the criteria if none of the specified bits are set.