Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

717

Configuring Intrusion Policies

Managing Intrusion Policies

Chapter 19

Optionally, configure your preprocessors, enabling and disabling options 

as appropriate.
For more information on the preprocessors provided in Sourcefire 3D 

System, as well as details on how to configure them, see 

 on page 799. 

Define your variables to accurately reflect your home and external 

networks. 
Defining variables makes rule inspection more effective and efficient by 

directing rules to inspect the traffic to and from specific IP addresses 

and ports. Defining these in the default variable set or in custom sets 

allows you to tune your policy or system without editing every rule. 

Variables can also be used when suppressing rules and configuring the 

advanced adaptive profiles feature. For details on managing variables, 

see 

Disable shared object rules and standard text rules that do not apply to 

your environment and verify that all rules that do apply to your 

environment are enabled. For inline deployments, carefully choose the 

intrusion rules that you want to drop packets rather than simply 

generate events. For more information on setting rule states, see 

 on page 770.

4. If none of the existing intrusion rules meet your needs, write new rules that 

inspect for intrusion attempts.
For information on the rule keywords you can use to construct custom 

standard text rules, and their syntax, see 

 on page 1073.

5. Test your configuration.

Managing Intrusion Policies

: Protection

On the Intrusion Policy page (Policies> Intrusion > Intrusion Policy) you can view all 

your current intrusion policies by name with optional description along with the 

following information:

the time and date the policy was last modified and the user who modified it.

whether dropping packets in an inline deployment is enabled in the policy

when a policy has unsaved changes, in italicized black text