Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

775

Managing Rules in an Intrusion Policy

Filtering Intrusion Event Notification Per Policy

Chapter 20

Next, you must specify the tracking, which determines whether the event 

threshold is calculated per source or destination IP address. Select one of the 

options from the 

 table to specify how the system tracks 

event instances. 

Threshold

Logs and displays a single event when the specified number 

of packets (specified by the count argument) trigger the rule 

during the specified time period. Note that the counter for 

the time restarts after you hit the threshold count of events 

and the system logs that event. For example, you set the 

type to Threshold, Count to 10, and Seconds to 60 and the 

rule triggers 10 times by second 33. The system generates 

one event, then resets the Seconds and Count counters to 

0. The rule then triggers another 10 times in the next 25 

seconds. Because the counters reset to 0 at second 33, the 

system logs another event.

Both

Logs and displays an event once per specified time period, 

after the specified number (count) of packets trigger the 

rule. For example, if you set the type to Both, Count to two, 

and Seconds to 10, the following event counts result:
• If the rule is triggered once in 10 seconds, the system 

does not generate any events (the threshold is not met)

• If the rule is triggered twice in 10 seconds, the system 

generates one event (the threshold is met when the rule 

triggers the second time)

• If the rule is triggered four times in 10 seconds, the 

system generates one event (the threshold is met when 

the rule triggered the second time and following events 

are ignored)

Thresholding Options (Continued)

Thresholding IP Options 

Source

Calculates event instance count per source IP 

address.

Destination

Calculates the event instance count per destination 

IP address.