Cisco Cisco FirePOWER Appliance 7115
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Version 5.3
Sourcefire 3D System User Guide
775
Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
Chapter 20
Next, you must specify the tracking, which determines whether the event
threshold is calculated per source or destination IP address. Select one of the
table to specify how the system tracks
event instances.
Threshold
Logs and displays a single event when the specified number
of packets (specified by the count argument) trigger the rule
during the specified time period. Note that the counter for
the time restarts after you hit the threshold count of events
and the system logs that event. For example, you set the
type to Threshold, Count to 10, and Seconds to 60 and the
rule triggers 10 times by second 33. The system generates
one event, then resets the Seconds and Count counters to
0. The rule then triggers another 10 times in the next 25
seconds. Because the counters reset to 0 at second 33, the
system logs another event.
Both
Logs and displays an event once per specified time period,
after the specified number (count) of packets trigger the
rule. For example, if you set the type to Both, Count to two,
and Seconds to 10, the following event counts result:
• If the rule is triggered once in 10 seconds, the system
• If the rule is triggered once in 10 seconds, the system
does not generate any events (the threshold is not met)
• If the rule is triggered twice in 10 seconds, the system
generates one event (the threshold is met when the rule
triggers the second time)
• If the rule is triggered four times in 10 seconds, the
system generates one event (the threshold is met when
the rule triggered the second time and following events
are ignored)
Thresholding Options (Continued)
O
PTION
D
ESCRIPTION
Thresholding IP Options
O
PTION
D
ESCRIPTION
Source
Calculates event instance count per source IP
address.
Destination
Calculates the event instance count per destination
IP address.