Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
771
Managing Rules in an Intrusion Policy
Setting Rule States
Chapter 20
In an intrusion policy, you can set a rule’s state to one of the following settings:
•
Set the rule state to Generate Events if you want the system to detect a
specific intrusion attempt and generate an intrusion event when it finds
matching traffic.
•
Set the rule state to Drop and Generate Events if you want the system to
detect a specific intrusion attempt, then drop the packet containing the
attack and generate an intrusion event when it finds matching traffic in an
inline deployment, or to generate an intrusion event when it finds matching
traffic in a passive deployment, including when a 3D9900 or Series 3 device
inline interface set is in tap mode.
Note that your intrusion policy must be set to drop rules in an inline
Note that your intrusion policy must be set to drop rules in an inline
deployment for the system to drop packets; see
on page 735 for more information.
•
Set the rule state to Disable if you do not want the system to evaluate
matching traffic.
To use drop rules, you must:
•
Enable the Drop when Inline option in your intrusion policy.
•
Set the rule state to Drop and Generate Events for any rules that should drop
all packets that match the rule.
•
Apply an access control policy that includes an access control rule that is
associated with your intrusion policy to a managed device that uses an
inline set.
Filtering rules on the Rules page can help you find the rules you want to set as
drop rules. For more information, see
page 756.
See
See
on page 1073 for information
about rule anatomy, rule keywords and their options, and rule writing syntax.
The VRT sometimes uses a rule update to change the default state of one or
The VRT sometimes uses a rule update to change the default state of one or
more rules in a default policy. If you allow rule updates to update your base policy,
you also allow the rule update to change the default state of a rule in your policy
when the default state changes in the default policy you used to create your
policy (or in the default policy it is based on). Note, however, that if you have
changed the rule state, the rule update will not override your change.
To change the rule state for one or more rules:
A
CCESS
: Admin/Intrusion Admin
1. Select Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.