Cisco Cisco Firepower Management Center 2000
18-24
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using the Packet View
Using Packet View Actions
License:
Protection
On the packet view, you can take several actions in the Event Information section on the rule that
triggered the event. Note that if the event is based on a shared object rule, a decoder, or a preprocessor,
the rule is not available. You must expand
triggered the event. Note that if the event is based on a shared object rule, a decoder, or a preprocessor,
the rule is not available. You must expand
Actions
to display rule actions.
Edit
For standard text rule events, click
Edit
to modify the rule that generated the event.
Note that if the event is based on a shared object rule, a decoder, or a preprocessor, the rule is not
available.
available.
Note
If you edit a rule provided by Cisco (as opposed to a custom standard text rule), you actually
create a new local rule. Make sure you set the local rule to generate events and also disable the
original rule in the current intrusion policy. Note, however, that you cannot enable local rules in
the default policies. For more information, see
create a new local rule. Make sure you set the local rule to generate events and also disable the
original rule in the current intrusion policy. Note, however, that you cannot enable local rules in
the default policies. For more information, see
.
View Documentation
For standard text rule events, click
View Documentation
to learn more about the rule revision that
generated the event.
Rule Comment
For standard text rule events, click
Rule Comment
to add a text comment to the rule that generated the
event.
This allows you to provide additional context and information about the rule and the exploit or
policy violation it identifies. You can also add and view rule comments in the rule editor. For more
information, see
policy violation it identifies. You can also add and view rule comments in the rule editor. For more
information, see
Disable this rule
If this event is generated by a standard text rule, you can disable the rule, if necessary. You can set
the rule in all policies that you can edit locally. Alternately, you can set the rule only in the current
policy (that is, the policy that generated the event) if you can edit the current policy locally.
the rule in all policies that you can edit locally. Alternately, you can set the rule only in the current
policy (that is, the policy that generated the event) if you can edit the current policy locally.
For more information, see
.
Note that the current policy option appears only when you can edit the current policy; for example,
you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
Note
You cannot disable shared object rules from the packet view, nor can you disable rules in the
default policies.
default policies.
Set this rule to generate events
If this event is generated by a standard text rule, you can set the rule to generate events in all policies
that you can edit locally. Alternately, you can set the rule only in the current policy (that is, the
policy that generated the event) if you can edit the current policy locally.
that you can edit locally. Alternately, you can set the rule only in the current policy (that is, the
policy that generated the event) if you can edit the current policy locally.
For more information, see
.
Note that the current policy option appears only when you can edit the current policy; for example,
you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
you can edit a custom policy, but you cannot edit a default policy provided by Cisco.