Cisco Cisco Firepower Management Center 4000
32-3
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Rule Headers
The following table describes each part of the rule header shown above.
Note
The previous example uses default variables, as do most intrusion rules. See
for more information about variables, what they mean, and how to configure them.
See the following sections for more information about rule header parameters:
•
describes rule types and explains how to specify the action that
occurs when the rule triggers.
•
explains how to define the traffic protocol for traffic that the rule
should test.
•
explains how to define the individual IP
addresses and IP address blocks in the rule header.
•
explains how to define the individual ports and port
ranges in the rule header.
•
describes the available operators and explains how to specify the
direction traffic must be traveling to be tested by the rule.
Table 32-1
Rule Header Values
Rule Header
Component
Component
Example Value
This Value...
Action
alert
Generates an intrusion event when triggered.
Protocol
tcp
Tests TCP traffic only.
Source IP Address
$EXTERNAL_NET
Tests traffic coming from any host that is not on your
internal network.
internal network.
Source Ports
any
Tests traffic coming from any port on the originating host.
Operator
->
Tests external traffic (destined for the web servers on your
network).
network).
Destination IP
Address
Address
$HTTP_SERVERS
Tests traffic to be delivered to any host specified as a web
server on your internal network.
server on your internal network.
Destination Ports
$HTTP_PORTS
Tests traffic delivered to an HTTP port on your internal
network.
network.