Cisco Cisco Firepower Management Center 2000
30-2
FireSIGHT System User Guide
Chapter 30 Using Global Rule Thresholding
Understanding Thresholding
Understanding Thresholding Options
License:
Protection
Thresholding allows you to limit intrusion event generation by generating only a specific number of
events in a time period or by generating one event for a set of events. When you configure global
thresholding, first, specify the thresholding type, as described in the following table.
events in a time period or by generating one event for a set of events. When you configure global
thresholding, first, specify the thresholding type, as described in the following table.
Next, specify the tracking, which determines whether the event instance count is calculated per source
or destination IP address. Finally, specify the number of instances and time period that define the
threshold.
or destination IP address. Finally, specify the number of instances and time period that define the
threshold.
Table 30-1
Thresholding Options
Option
Description
Limit
Logs and displays events for the specified number of packets (specified by the count argument) that trigger the
rule during the specified time period. For example, if you set the type to
rule during the specified time period. For example, if you set the type to
Limit
, the
Count
to 10, and the
Seconds
to 60, and 14 packets trigger the rule, the system stops logging events for the rule after displaying the first 10
that occur within the same minute.
that occur within the same minute.
Threshold
Logs and displays a single event when the specified number of packets (specified by the count argument) trigger
the rule during the specified time period. Note that the counter for the time restarts after you hit the threshold
count of events and the system logs that event. For example, you set the type to
the rule during the specified time period. Note that the counter for the time restarts after you hit the threshold
count of events and the system logs that event. For example, you set the type to
Threshold
,
Count
to 10, and
Seconds
to 60 and the rule triggers 10 times by second 33. the system generates one event, then resets the Seconds and
Count counters to 0. The rule then triggers another 10 times in the next 25 seconds. Because the counters reset
to 0 at second 33, the system logs another event.
Count counters to 0. The rule then triggers another 10 times in the next 25 seconds. Because the counters reset
to 0 at second 33, the system logs another event.
Both
Logs and displays an event once per specified time period, after the specified number (count) of packets trigger
the rule. For example, if you set the type to
the rule. For example, if you set the type to
Both
,
Count
to two, and
Seconds
to 10, the following event counts
result:
•
If the rule is triggered once in 10 seconds, the system does not generate any events (the threshold is not met)
•
If the rule is triggered twice in 10 seconds, the system generates one event (the threshold is met when the
rule triggers the second time)
rule triggers the second time)
•
If the rule is triggered four times in 10 seconds, the system generates one event (the threshold is met when
the rule triggered the second time and following events are ignored)
the rule triggered the second time and following events are ignored)