Cisco Cisco FirePOWER Appliance 7020
21-18
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
Keyword:”argument”
where
keyword
is one of the keywords in the filter groups described in the
table and
argument
is enclosed in double quotes and is a single, case-insensitive, alphanumeric string to search for in the
specific field or fields relevant to the keyword. Note that keywords should be typed with initial
capitalization.
specific field or fields relevant to the keyword. Note that keywords should be typed with initial
capitalization.
Arguments for all keywords except
gid
and
sid
are treated as partial strings. For example, the argument
123
returns
"12345"
,
"41235"
,
"45123",
and so on. The arguments for
gid
and
sid
return only exact
matches; for example,
sid:3080
returns only
SID 3080
.
Each rule filter can also include one or more alphanumeric character strings. Character strings search the
rule Message field, Signature ID, and Generator ID. For example, the string
rule Message field, Signature ID, and Generator ID. For example, the string
123
returns the strings
"Lotus123"
,
"123mania"
, and so on in the rule message, and also returns
SID 6123
,
SID 12375
, and so
on. For information on the rule Message field, see
. For
information on rule SIDs and GIDs, see
. You can search
for a partial SID by filtering with one or more character strings.
All character strings are case-insensitive and are treated as partial strings. For example, any of the strings
ADMIN
,
admin
, or
Admin
return
"admin"
,
"CFADMIN"
,
"Administrator"
and so on.
You can enclose character strings in quotes to return exact matches. For example, the literal string
"overflow attempt"
in quotes returns only that exact string, whereas a filter comprised of the two
strings
overflow
and
attempt
without quotes returns
"overflow attempt"
,
"overflow multipacket
attempt"
,
"overflow with evasion attempt"
, and so on.
You can narrow filter results by entering any combination of keywords, character strings, or both,
separated by spaces. The result includes any rule that matches all the filter conditions.
separated by spaces. The result includes any rule that matches all the filter conditions.
You can enter multiple filter conditions in any order. For example, each of the following filters returns
the same rules:
the same rules:
•
url:at login attempt cve:200
•
login attempt cve:200 url:at
•
login cve:200 attempt url:at
Setting a Rule Filter in an Intrusion Policy
License:
Protection
You can filter the rules on the Rules page to display a subset of rules. You can then use any of the page
features, including selecting any of the features available in the context menu. This can be useful, for
example, when you want to set a threshold for all the rules in a specific category. You can use the same
features with rules in a filtered or unfiltered list. For example, you can apply new rule states to rules in
a filtered or unfiltered list.
features, including selecting any of the features available in the context menu. This can be useful, for
example, when you want to set a threshold for all the rules in a specific category. You can use the same
features with rules in a filtered or unfiltered list. For example, you can apply new rule states to rules in
a filtered or unfiltered list.
You can select predefined filter keywords from the filter panel on the left side of the Rules page in the
intrusion policy. When you select a filter, the page displays all matching rules, or indicates when no rules
match.
intrusion policy. When you select a filter, the page displays all matching rules, or indicates when no rules
match.
For more information on all the keywords and arguments you can use and how you can construct filters
from the filter panel, see
from the filter panel, see
.
You can add keywords to a filter to further constrain it. Any filter you enter searches the entire rules
database and returns all matching rules. When you enter a filter while the page still displays the result
of a previous filter, the page clears and returns the result of the new filter instead.
database and returns all matching rules. When you enter a filter while the page still displays the result
of a previous filter, the page clears and returns the result of the new filter instead.