Cisco Cisco FirePOWER Appliance 7020
32-105
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Filtering Rules on the Rule Editor Page
Filtering Rules on the Rule Editor Page
License:
Protection
You can filter the rules on the Rule Editor page to display a subset of rules. This can be useful, for
example, when you want to modify a rule or change its state but have difficulty finding it among the
thousands of rules available.
example, when you want to modify a rule or change its state but have difficulty finding it among the
thousands of rules available.
When you enter a filter, the page displays any folder that includes at least one matching rule, or a
message when no rule matches. Your filter can include special keywords and their arguments, character
strings, and literal character strings in quotes, with spaces separating multiple filter conditions. A filter
cannot include regular expressions, wild card characters, or any special operator such as a negation
character (!), a greater than symbol (>), less than symbol (<), and so on.
message when no rule matches. Your filter can include special keywords and their arguments, character
strings, and literal character strings in quotes, with spaces separating multiple filter conditions. A filter
cannot include regular expressions, wild card characters, or any special operator such as a negation
character (!), a greater than symbol (>), less than symbol (<), and so on.
All keywords, keyword arguments, and character strings are case-insensitive. Except for the
gid
and
sid
keywords, all arguments and strings are treated as partial strings. Arguments for
gid
and
sid
return only
exact matches.
Optionally, you can expand a folder on the original, unfiltered page and the folder remains expanded
when the subsequent filter returns matches in that folder. This can be useful when the rule you want to
find is in a folder that contains a large number of rules.
when the subsequent filter returns matches in that folder. This can be useful when the rule you want to
find is in a folder that contains a large number of rules.
You cannot constrain a filter with a subsequent filter. Any filter you enter searches the entire rules
database and returns all matching rules. When you enter a filter while the page still displays the result
of a previous filter, the page clears and returns the result of the new filter instead.
database and returns all matching rules. When you enter a filter while the page still displays the result
of a previous filter, the page clears and returns the result of the new filter instead.
You can use the same features with rules in a filtered or unfiltered list. For example, you can edit rules
in a filtered or unfiltered list on the Rule Editor page. You can also use any of the options in the context
menu for the page.
in a filtered or unfiltered list on the Rule Editor page. You can also use any of the options in the context
menu for the page.
See the following sections for more information:
•
•
•
•
Using Keywords in a Rule Filter
License:
Protection
Each rule filter can include one or more keywords in the format:
keyword:argument
where
keyword
is one of the keywords in the
table and
argument
is a single,
case-insensitive, alphanumeric string to search for in the specific field or fields relevant to the keyword.
Arguments for all keywords except
gid
and
sid
are treated as partial strings. For example, the argument
123
returns
"12345"
,
"41235"
,
"45123",
and so on. The arguments for
gid
and
sid
return only exact
matches; for example,
sid:3080
returns only SID 3080.
Tip
You can search for a partial SID by filtering with one or more character strings. See
for more information.
The following table describes the specific filtering keywords and arguments you can use to filter rules.