Intrusion Policy Rule Filters Construction Guidelines
In most cases, when you are building a filter, you can use the filter panel to the left of the Rules page in the intrusion policy to choose the keywords/arguments you want to use.
Rule filters are grouped into rule filter groups in the filter panel. Many rule filter groups contain sub-criteria so that you can more easily find the specific rules you are looking for. Some rule filters have multiple levels that you can expand to drill down to individual rules.
Items in the filter panel sometimes represent filter type groups, sometimes represent keywords, and sometimes represent the argument to a keyword. Note the following:
-
When you choose a filter type group heading that is not a keyword (Rule Configuration, Rule Content, Platform Specific, and Priority), it expands to list the available keywords.
When you choose a keyword by clicking on a node in the criteria list, a pop-up window appears, where you supply the argument you want to filter by.
If that keyword is already used in the filter, the argument you supply replaces the existing argument for that keyword.
For example, if you click Drop and Generate Events under in the filter panel,
Recommendation:"Drop and Generate Events"
is added to the filter text box. If you then click Generate Events under Rule , the filter changes toRecommendation:"Generate Events"
. -
When you choose a filter type group heading that is a keyword (Category, Classifications, Microsoft Vulnerabilities, Microsoft Worms, Priority, and Rule Update), it lists the available arguments.
When you choose an item from this type of group, the argument and the keyword it applies to are immediately added to the filter. If the keyword is already in the filter, it replaces the existing argument for the keyword that corresponds to that group.
For example, if you click os-linux under Category in the filter panel,
Category:"os-linux"
is added to the filter text box. If you then click os-windows under Category, the filter changes toCategory:"os-windows"
. -
Reference under Rule Content is a keyword, and so are the specific reference ID types listed below it. When you choose any of the reference keywords, a pop-up window appears, where you supply an argument and the keyword is added to the existing filter. If the keyword is already in use in the filter, the new argument you supply replaces the existing argument.
For example, if you click
in the filter panel, a pop-up window prompts you to supply the CVE ID. If you enter2007
, thenCVE:”2007”
is added to the filter text box. In another example, if you click in the filter panel, a pop-up window prompts you to supply the reference. If you enter2007
, thenReference:”2007”
is added to the filter text box. -
When you choose rule filter keywords from different groups, each filter keyword is added to the filter and any existing keywords are maintained (unless overridden by a new value for the same keyword).
For example, if you click os-linux under Category in the filter panel,
Category:"os-linux"
is added to the filter text box. If you then click MS00-006 under Microsoft Vulnerabilities, the filter changes toCategory:"os-linux" MicrosoftVulnerabilities:"MS00-006"
. -
When you choose multiple keywords, the system combines them using AND logic to create a compound search filter. For example, if you choose preprocessor under Category and then choose and enter
116
, you get a filter ofCategory: “preprocessor” GID:”116”
, which retrieves all rules that are preprocessor rules and have a GID of 116. -
The Category, Microsoft Vulnerabilities, Microsoft Worms, Platform Specific, and Priority filter groups allow you to submit more than one argument for a keyword, separated by commas. For example, you can choose os-linux and os-windows from Category to produce the filter
Category:"os-windows,app-detect"
, which retrieves any rules in theos-linux
category or in theos-windows
category.
The same rule may be retrieved by more than one filter keyword/argument pair. For example, the DOS Cisco attempt rule (SID 1545) appears if rules are filtered by the dos category, and also if you filter by the High priority.
Note | The Talos Intelligence Group may use the rule update mechanism to add and remove rule filters. |
Note that the rules on the Rules page may be either shared object rules (generator ID 3) or standard text rules (generator ID 1, Global domain or legacy GID; 1000 - 2000, descendant domains). The following table describes the different rule filters.
Filter Group |
Description |
Multiple Argument Support? |
Heading is... |
Items in List are... |
---|---|---|---|---|
Rule Configuration |
Finds rules according to the configuration of the rule. |
No |
A grouping |
keywords |
Rule Content |
Finds rules according to the content of the rule. |
No |
A grouping |
keywords |
Category |
Finds rules according to the rule categories used by the rule editor. Note that local rules appear in the local sub-group. |
Yes |
A keyword |
arguments |
Classifications |
Finds rules according to the attack classification that appears in the packet display of an event generated by the rule. |
No |
A keyword |
arguments |
Microsoft Vulnerabilities |
Finds rules according to Microsoft bulletin number. |
Yes |
A keyword |
arguments |
Microsoft Worms |
Finds rules based on specific worms that affect Microsoft Windows hosts. |
Yes |
A keyword |
arguments |
Platform Specific |
Finds rules according to their relevance to specific versions of operating systems. Note that a rule may affect more than one operating system or more than one version of an operating system. For example, enabling SID 2260 affects multiple versions of Mac OS X, IBM AIX, and other operating systems. |
Yes |
A keyword |
arguments Note that if you pick one of the items from the sub-list, it adds a modifier to the argument. |
Preprocessors |
Finds rules for individual preprocessors. Note that you must enable preprocessor rules associated with a preprocessor option to generate events and, in an inline deployment, drop offending packets for the option when the preprocessor is enabled. |
Yes |
A grouping |
sub-groupings |
Priority |
Finds rules according to high, medium, and low priorities. The classification assigned to a rule determines its priority. These groups are further grouped into rule categories. Note that local rules (that is, rules that you import or create) do not appear in the priority groups. |
Yes |
A keyword |
arguments Note that if you pick one of the items from the sub-list, it adds a modifier to the argument. |
Rule Update |
Finds rules added or modified through a specific rule update. For each rule update, view all rules in the update, only new rules imported in the update, or only existing rules changed by the update. |
No |
A keyword |
arguments |