Cisco Cisco FirePOWER Appliance 7020
32-2
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Rule Anatomy
Understanding Rule Anatomy
License:
Protection
All standard text rules contain two logical sections: the rule header and the rule options. The rule header
contains:
contains:
•
the rule's action or type
•
the protocol
•
the source and destination IP addresses and netmasks
•
direction indicators showing the flow of traffic from source to destination
•
the source and destination ports
The rule options section contains:
•
event messages
•
keywords and their parameters and arguments
•
patterns that a packet’s payload must match to trigger the rule
•
specifications of which parts of the packet the rules engine should inspect
The following diagram illustrates the parts of a rule:
Note that the options section of a rule is the section enclosed in parentheses. The rule editor provides an
easy-to-use interface to help you build standard text rules.
easy-to-use interface to help you build standard text rules.
Understanding Rule Headers
License:
Protection
Every standard text rule and shared object rule has a rule header containing parameters and arguments.
The following illustrates parts of a rule header:
The following illustrates parts of a rule header: