Cisco Cisco ASA 5506W-X with FirePOWER Services Technical Manual
Step 1.4. Signature filtering with Filter bar option
Navigate to Rules option in navigational panel and the Rule Management page appears. There
are thousands of the rule in Rule database. Filter bar provides a good search engine option to
search the rule effectively.
are thousands of the rule in Rule database. Filter bar provides a good search engine option to
search the rule effectively.
You can insert any keyword into the Filter bar and system grabs the results for you. If there is a
requirement to find the signature for Secure Sockets Layer (SSL) heartbleed vulnerability, you can
search keyword heartbleed in the filter bar and it will fetch the signature for the heartbleed
vulnerability.
requirement to find the signature for Secure Sockets Layer (SSL) heartbleed vulnerability, you can
search keyword heartbleed in the filter bar and it will fetch the signature for the heartbleed
vulnerability.
Tip: If multiple keywords are used in Filter bar then system combines them using AND logic
to create a compound search.
to create a compound search.
You can also search the rules by using Signature ID (SID), Generator ID (GID), Category: dos
etc.
etc.
Rules are effectively divided into multiple ways such as based on Category/ Classifications/
Microsoft Vulnerabilities / Microsoft Worms/ Platform Specific. Such association of rules helps the
customer to get the right signature in an easy way and help the customer to effectively tune the
signatures.
Microsoft Vulnerabilities / Microsoft Worms/ Platform Specific. Such association of rules helps the
customer to get the right signature in an easy way and help the customer to effectively tune the
signatures.
You can also search with CVE number to find the rules that cover them. You can use the syntax
CVE: <cve-number>.
CVE: <cve-number>.
Step 1.5. Configure the Rule State
Navigate to Rules option in navigational panel and Rule Management page appears Rule State to
configure the state of the rules. There are three states which can be configured for a rule:
configure the state of the rules. There are three states which can be configured for a rule:
1. Generate Events: This option generates events when the rule matches the traffic.
2. Drop and Generate Events: This option generates events and drop traffic when the rule
matches the traffic.
matches the traffic.
3. Disable: This option disables the rule.
Step 1.6.
The importance of an intrusion event can be based on the frequency of occurrence, or on the
source or the destination IP address. In some cases, you may not care about an event until it has
occurred a certain number of times. For example, you might not be concerned if someone
attempts to log-in to a server until they fail a certain number of times. In other cases, you might
only need to see a few occurrences of rule hit to check if there is a widespread problem.
source or the destination IP address. In some cases, you may not care about an event until it has
occurred a certain number of times. For example, you might not be concerned if someone
attempts to log-in to a server until they fail a certain number of times. In other cases, you might
only need to see a few occurrences of rule hit to check if there is a widespread problem.
There are two ways by which you can achieve this:
1. Event threshold.
2. Event Suppression.