Cisco Cisco Firepower Management Center 4000 Manual

Page of 1844
 
39-8
FireSIGHT System User Guide
 
Chapter 39      Configuring Correlation Policies and Rules 
  Creating Rules for Correlation Policies
Generator ID
Select one or more preprocessors. See 
 for more information about available preprocessors.
Impact Flag
Select the impact level assigned to the intrusion event. You select any of the following along 
with operators that specify 
is
is not
is greater than
, and so on:
  •
0 — gray (Unknown)
  •
1 — red (Vulnerable)
  •
2 — orange (Potentially Vulnerable)
  •
3 — yellow (Currently Not Vulnerable)
  •
4 — blue (Unknown Target)
Note
Because there is no operating system information available for hosts added to the 
network map based on NetFlow data, the Defense Center cannot assign Vulnerable 
(level 1: red) impact levels for intrusion events involving those hosts, unless you use 
the host input feature to manually set the host operating system identity.
For more information, see 
.
Inline Result
Select either:
 •
dropped
, to specify whether the packet was dropped in an inline, switched, or routed 
deployment
  •
would have dropped
, to specify whether the packet would have dropped if the intrusion 
policy had been set to drop packets in an inline, switched, or routed deployment
Note that the system does not drop packets in a passive deployment, including when an 
inline set is in tap mode, regardless of the rule state or the drop behavior of the intrusion 
policy. For more information, see 
, and 
Intrusion Policy
Select one or more intrusion policies that generated the intrusion event.
IOC Tag
Select whether an IOC tag 
is
 or 
is not
 set as a result of the intrusion event.
Priority
Select the rule priority: 
low
medium
, or 
high
.
For rule-based intrusion events, the priority corresponds to either the value of the 
priority
 
keyword or the value for the 
classtype
 keyword. For other intrusion events, the priority is 
determined by the decoder or preprocessor.
Protocol
Rule Message
Type all or part of the rule message.
Rule SID
Type a single Snort ID number (SID) or multiple SIDs separated by commas.
Note
If you choose 
is in
 or 
is not in
 as the operator, you cannot use the multi-selection 
pop-up window. You must type a comma-separated list of SIDs.
Rule Type
Specify whether the rule is or is not local. Local rules include custom standard text intrusion 
rules, standard text rules that you modified, and any new instances of shared object rules 
created when you saved the rule with modified header information. For more information, 
see 
.
Table 39-2
Syntax for Intrusion Events (continued)
If you specify...
Select an operator, then...
downloadlike
ArtboardArtboardArtboard
Report Bug