Cisco Cisco FirePOWER Appliance 7020
32-6
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Rule Headers
See the following sections for more in-depth information about the syntax you can use to specify source
and destination IP addresses, and for information about using variables to specify IP addresses:
and destination IP addresses, and for information about using variables to specify IP addresses:
•
•
•
•
•
•
Specifying Any IP Address
License:
Protection
You can specify the word
any
as a rule source or destination IP address to indicate any IPv4 or IPv6
address.
For example, the following rule uses the argument
any
in the
Source IPs
and
Destination IPs
fields and
evaluates packets with any IPv4 or IPv6 source or destination address:
alert tcp any any -> any any
You can also specify
::
to indicate any IPv6 address.
Specifying Multiple IP Addresses
License:
Protection
You can list individual IP addresses by separating the IP addresses with commas and, optionally, by
surrounding non-negated lists with brackets, as shown in the following example:
surrounding non-negated lists with brackets, as shown in the following example:
[192.168.1.100,192.168.1.103,192.168.1.105]
You can list IPv4 and IPv6 addresses alone or in any combination, as shown in the following example:
[192.168.1.100,2001:db8::1234,192.168.1.105]
Note that surrounding an IP address list with brackets, which was required in earlier software releases,
is not required. Note also that, optionally, you can enter lists with a space before or after each comma.
is not required. Note also that, optionally, you can enter lists with a space before or after each comma.
all IP addresses except addresses
defined by an IP address variable
defined by an IP address variable
the variable name, in uppercase letters,
preceded by
preceded by
!$
for more information.
!$HOME_NET
IP addresses defined by a network
object or network object group
object or network object group
the object or group name using the format
!{object_name}
.
for more information.
${192.168sub16}
all IP addresses except addresses
defined by a network object or
network object group
defined by a network object or
network object group
the object or group name, in curly braces
(
(
{}
), preceded by
!$
.
for more information.
!${192.168sub16}
Table 32-2
Source/Destination IP Address Syntax (continued)
To Specify...
Use...
Example