Cisco Cisco Firepower Management Center 2000
18-26
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using the Packet View
Note that the current policy option appears only when you can edit the current policy; for example, you
can edit a custom policy, but you cannot edit a default policy provided by Cisco.
can edit a custom policy, but you cannot edit a default policy provided by Cisco.
The thresholding options appear.
Step 2
Select the type of threshold you want to set:
•
Select
limit
to limit notification to the specified number of event instances per time period.
•
Select
threshold
to provide notification for each specified number of event instances per time period.
•
Select
both
to provide notification once per time period after a specified number of event instances.
Step 3
Select the appropriate radio button to indicate whether you want the event instances tracked by
Source
or
Destination
IP address.
Step 4
In the
Count
field, type the number of event instances you want to use as your threshold.
Step 5
In the
Seconds
field, type a number between 1 and 86400 that specifies the time period for which event
instances are tracked.
Step 6
If you want to override any current thresholds for this rule in existing intrusion policies, select
Override
any existing settings for this rule
.
Step 7
Click
Save Thresholding
.
The system adds your threshold and displays a message indicating success. If you chose not to override
existing settings, a message appears informing you of any conflicts.
existing settings, a message appears informing you of any conflicts.
Setting Suppression Options within the Packet View
License:
Protection
You can use the suppression options to suppress intrusion events altogether, or based on the source or
destination IP address. You can set suppression options in all policies that you can edit locally.
Alternately, you can set suppression options only in the current policy (that is, the policy that generated
the event) when the current policy can be edited locally.
destination IP address. You can set suppression options in all policies that you can edit locally.
Alternately, you can set suppression options only in the current policy (that is, the policy that generated
the event) when the current policy can be edited locally.
To suppress intrusion events within the packet view:
Access:
Admin/Intrusion Admin
Step 1
Within the packet view of an intrusion event that was generated by an intrusion rule, expand
Actions
in
the Event Information section; expand
Set Suppression Options
and click one of the two possible options:
•
in the current policy
•
in all locally created policies
Note that the current policy option appears only when you can edit the current policy; for example, you
can edit a custom policy, but you cannot edit a default policy provided by Cisco.
can edit a custom policy, but you cannot edit a default policy provided by Cisco.
The suppression options appear.
Step 2
Select one of the following
Track By
options:
•
To completely suppress events for the rule that triggered this event, select
Rule
.
•
To suppress events generated by packets originating from a specified source IP address, select
Source
.
•
To suppress events generated by packets going to a specified destination IP address, select
Destination
.