Intrusion Rule Content Filters

You can filter the rules listed in the Rules page by several rule content items. For example, you can quickly retrieve a rule by searching for the rule’s SID. You can also find all rules that inspect traffic going to a specific destination port.

When you select a keyword by clicking on a node in the criteria list, you can supply the argument you want to filter by. If that keyword is already used in the filter, the argument you supply replaces the existing argument for that keyword.

For example, if you click SID under Rule Content in the filter panel, a pop-up window appears, prompting you to supply a SID. If you type 1045, then SID:”1045”is added to the filter text box. If you then click SID again and change the SID filter to 1044, the filter changes to SID:”1044”.

Rule Content Filters

This filter...

Finds rules that...

Message

contain the supplied string in the message field.

SID

have the specified SID.

GID

have the specified GID.

Reference

contain the supplied string in the reference field. You can also filter by a specific type of reference and supplied string.

Action

start with alert or pass.

Protocol

include the selected protocol.

Direction

are based on whether the rule includes the indicated directional setting.

Source IP

use the specified addresses or variables for the source IP address designation in the rule. You can filter by a valid IP address, a CIDR block/prefix length, or using variables such as $HOME_NET or $EXTERNAL_NET.

Destination IP

use the specified addresses or variables for the source IP address designation in the rule. You can filter by a valid IP address, a CIDR block/prefix length, or using variables such as $HOME_NET or $EXTERNAL_NET.

Source port

include the specified source port. The port value must be an integer between 1 and 65535 or a port variable.

Destination port

include the specified destination port. The port value must be an integer between 1 and 65535 or a port variable.

Rule Overhead

have the selected rule overhead.

Metadata

have metadata containing the matching key value pair. For example, type metadata:”service http” to locate rules with metadata relating to the HTTP application protocol.