Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco FirePOWER Appliance 7115

Cisco Cisco FirePOWER Appliance 7115

Download
Seite von 2442
Version 5.3
Sourcefire 3D System User Guide
773
Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
Chapter 20
5. Select the rule or rules where you want to set the rule state. You have the 
following options:
To select a specific rule, select the check box next to the rule.
To select all the rules in the current list, select the check box at the top 
of the column.
6. You have the following options:
To generate events when traffic matches the selected rules, select Rule 
State > Generate Events.
To generate events and drop the traffic in inline deployments when 
traffic matches the selected rules, select Rule State > Drop and Generate 
Events.
To not inspect traffic matching the selected rules, select Rule State > 
Disable.
IMPORTANT!
Sourcefire strongly recommends that you do not enable all 
the intrusion rules in an intrusion policy. The performance of your managed 
device is likely to degrade if all the rules are enabled. Instead, tune your rule 
set to match your network environment as closely as possible.
7. Save your policy, continue editing, discard your changes, or exit while leaving 
your changes in the system cache. See the 
 on page 722 for more information.
Filtering Intrusion Event Notification Per Policy
L
ICENSE
Protection
The importance of an intrusion event can be based on frequency of occurrence, 
or source or destination IP address. In some cases you may not care about an 
event until it has occurred a certain number of times. For example, you may not 
be concerned if someone attempts to log into a server until they fail a certain 
number of times. In other cases, you may only need to see a few occurrences to 
know there is a widespread problem. For example, if a DoS attack is launched 
against your web server, you may only need to see a few occurrences of an 
intrusion event to know that you need to address the situation. Seeing hundreds 
of the same event only overwhelms your system. 
See the following sections for more information:
 on page 774 explains how to set thresholds 
that dictate how often (based on the number of occurrences) an event is 
displayed. You can configure thresholding per event, per policy.
 on page 780 explains how to 
suppress notification of specified events per source or destination IP 
address per policy.