Cisco Cisco FirePOWER Appliance 7020
32-75
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
To specify DNP3 function codes:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
dnp3_func
in the drop-down list and click
Add Option.
The
dnp3_func
keyword appears.
Step 2
Specify a single defined decimal value 0 to 255 for the function code, or a single defined string. See the
table for values and strings recognized by the system.
dnp3_ind
You can use the
dnp3_ind
keyword to match against flags in the Internal Indications field in a DNP3
application layer response header.
You can specify the string for a single known flag or a comma-separated list of flags, as seen in the
following example:
following example:
class_1_events, class_2_events
When you specify multiple flags, the keyword matches against any flag in the list. To detect a
combination of flags, use the
combination of flags, use the
dnp3_ind
keyword multiple times in a rule.
17
start_appl
18
stop_appl
19
save_config
20
enable_unsolicited
21
disable_unsolicited
22
assign_class
23
delay_measure
24
record_current_time
25
open_file
26
close_file
27
delete_file
28
get_file_info
29
authenticate_file
30
abort_file
31
activate_config
32
authenticate_req
33
authenticate_err
129
response
130
unsolicited_response
131
authenticate_resp
Table 32-43
DNP3 Function Codes (continued)
Value
String