Cisco Cisco Firepower Management Center 4000
18-23
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using the Packet View
Note that HTTP request packets do not always include a URI. For rule-based events, this row
appears when the packet contains the HTTP host name or the HTTP URI.
appears when the packet contains the HTTP host name or the HTTP URI.
To see the associated HTTP URI in intrusion events triggered by HTTP responses, you should
configure HTTP server ports in the
configure HTTP server ports in the
Perform Stream Reassembly on Both Ports
option; note, however, that
this increases resource demands for traffic reassembly. See
Intrusion Policy
The intrusion policy, if present, where the intrusion, preprocessor, or decoder rule that generated the
intrusion event was enabled. You can select an intrusion policy as the default action for an access
control policy or associate an intrusion policy with an access control rule. See
intrusion event was enabled. You can select an intrusion policy as the default action for an access
control policy or associate an intrusion policy with an access control rule. See
Access Control Policy
The access control policy that includes the intrusion policy where the intrusion, preprocessor, or
decoder rule that generated the event is enabled. See
decoder rule that generated the event is enabled. See
Access Control Rule
The access control rule associated with an intrusion rule that generated the event; see
Default Action
indicates that the
intrusion policy where the rule is enabled is not associated with an access control rule but, instead,
is configured as the default action of the access control policy; see
is configured as the default action of the access control policy; see
.
Rule
For standard text rule events, the rule that generated the event.
Note that if the event is based on a shared object rule, a decoder, or a preprocessor, the rule is not
available.
available.
Because rule data may contain sensitive information about your network, administrators may toggle
users’ ability to view rule information in the packet view with the View Local Rules permission in
the user role editor. For more information, see
users’ ability to view rule information in the packet view with the View Local Rules permission in
the user role editor. For more information, see
.
Actions
For standard text rule events, expand
Actions
to take any of the following actions on the rule that
triggered the event:
–
edit the rule
–
view documentation for the revision of the rule
–
add a comment to the rule
–
change the state of the rule
–
set a threshold for the rule
–
suppress the rule
See
for more
information.
Note that if the event is based on a shared object rule, a decoder, or a preprocessor, the rule is not
available.
available.