Cisco Cisco FirePOWER Appliance 8360
21-2
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Understanding Intrusion Prevention Rule Types
•
explains how you can more efficiently manage
multiple intrusion policies in a complex network by adding intrusion policy layers comprised of
individual configurations for rule attributes and advanced settings.
individual configurations for rule attributes and advanced settings.
Understanding Intrusion Prevention Rule Types
License:
Protection
An intrusion policy contains two types of rules: intrusion rules and preprocessor rules.
An intrusion rule is a specified set of keywords and arguments that detects attempts to exploit
vulnerabilities on your network; an intrusion rule analyzes network traffic to check if it matches the
criteria in the rule. The system compares packets against the conditions specified in each rule and, if the
packet data matches all the conditions specified in a rule, the rule triggers. The system includes two types
of intrusion rules created by the Cisco Vulnerability Research Team (VRT): shared object rules, which
are compiled and cannot be modified (except for rule header information such as source and destination
ports and IP addresses), and standard text rules, which can be saved and modified as new custom
instances of the rule.
vulnerabilities on your network; an intrusion rule analyzes network traffic to check if it matches the
criteria in the rule. The system compares packets against the conditions specified in each rule and, if the
packet data matches all the conditions specified in a rule, the rule triggers. The system includes two types
of intrusion rules created by the Cisco Vulnerability Research Team (VRT): shared object rules, which
are compiled and cannot be modified (except for rule header information such as source and destination
ports and IP addresses), and standard text rules, which can be saved and modified as new custom
instances of the rule.
The system also includes preprocessor rules, which are rules associated with preprocessor and packet
decoder detection options. You cannot copy or edit preprocessor rules. Most preprocessor rules are
disabled by default and must be enabled (that is, set to Generate Events or to Drop and Generate Events)
if you want the system to generate events for preprocessor rules and, in an inline deployment, drop
offending packets.
decoder detection options. You cannot copy or edit preprocessor rules. Most preprocessor rules are
disabled by default and must be enabled (that is, set to Generate Events or to Drop and Generate Events)
if you want the system to generate events for preprocessor rules and, in an inline deployment, drop
offending packets.
The VRT determines the default rule states of Cisco’s shared object rules, standard text rules, and
preprocessor rules for each default intrusion policy included with the system.
preprocessor rules for each default intrusion policy included with the system.
The following table describes each type of rule included with the FireSIGHT System.
Table 21-1
Rule Types
Type
Description
shared object rule
An intrusion rule created by the Cisco Vulnerability Research Team (VRT) that is delivered as a binary
module compiled from C source code. You can use shared object rules to detect attacks in ways that
standard text rules cannot. You cannot modify the rule keywords and arguments in a shared object rule;
you are limited to either modifying variables used in the rule, or modifying aspects such as the source
and destination ports and IP addresses and saving a new instance of the rule as a custom shared object
rule. A shared object rule has a GID (generator ID) of 3. See
module compiled from C source code. You can use shared object rules to detect attacks in ways that
standard text rules cannot. You cannot modify the rule keywords and arguments in a shared object rule;
you are limited to either modifying variables used in the rule, or modifying aspects such as the source
and destination ports and IP addresses and saving a new instance of the rule as a custom shared object
rule. A shared object rule has a GID (generator ID) of 3. See
for
more information.
standard text rule
An intrusion rule either created by the VRT, copied and saved as a new custom rule, created using the
rule editor, or imported as a local rule that you create on a local machine and import. You cannot modify
the rule keywords and arguments in a standard rule created by the VRT; you are limited to either
modifying variables used in the rule, or modifying aspects such as the source and destination ports and
IP addresses and saving a new instance of the rule as a custom standard text rule. See
rule editor, or imported as a local rule that you create on a local machine and import. You cannot modify
the rule keywords and arguments in a standard rule created by the VRT; you are limited to either
modifying variables used in the rule, or modifying aspects such as the source and destination ports and
IP addresses and saving a new instance of the rule as a custom standard text rule. See
,
and
for more information. A standard text rule created by the VRT has a GID (generator
ID) of 1. Custom standard text rule that you create using the rule editor or import as local rules have a
SID (Signature ID) of 1000000 or greater.
SID (Signature ID) of 1000000 or greater.
preprocessor rule
A rule associated with a detection option of the packet decoder or with one of the preprocessors included
with the FireSIGHT System. You must enable preprocessor rules if you want them to generate events.
These rules have a decoder- or preprocessor-specific GID (generator ID). See the
with the FireSIGHT System. You must enable preprocessor rules if you want them to generate events.
These rules have a decoder- or preprocessor-specific GID (generator ID). See the
table for
more information.