Cisco Cisco Firepower Management Center 4000
21-7
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Viewing Rules in an Intrusion Policy
Step 1
Click
Add
next to Thresholds.
The Set Threshold dialog box appears.
Step 2
Select the type of threshold you want to set:
•
Select
Limit
to limit notification to the specified number of event instances per time period.
•
Select
Threshold
to provide notification for each specified number of event instances per time period.
•
Select
Both
to provide notification once per time period after a specified number of event instances.
Step 3
Select the appropriate option for
Track By
to indicate whether you want the event instances tracked by
source or destination IP address.
Step 4
In the
Count
field, type the number of event instances you want to use as your threshold.
Step 5
In the
Seconds
field, type a number between 1 and 86400 that specifies the time period for which event
instances are tracked.
Step 6
Click
OK
.
The system adds your threshold and displays an event filter icon (
) next to the rule in the Event
Filtering column. If you add multiple event filters to a rule, the system includes an indication over the
icon of the number of event filters.
icon of the number of event filters.
Setting Suppression for a Rule
License:
Protection
You can set one or more suppressions for a rule from the Rule Detail page. For more information on
suppression, see
suppression, see
.
Note that a revert icon (
) appears in a field when you type an invalid value; click it to revert to the
last valid value for that field or to clear the field if there was no previous value.
To set suppression from the rule details:
Access:
Admin/Intrusion Admin
Step 1
Click
Add
next to Suppressions.
The Add Suppression dialog box appears.
Step 2
Select one of the following
Suppression Type
options:
•
Select
Rule
to completely suppress events for a selected rule.
•
Select
Source
to suppress events generated by packets originating from a specified source IP address.
•
Select
Destination
to suppress events generated by packets going to a specified destination IP address.
Step 3
If you selected
Source
or
Destination
for the suppression type, in the
Network
field enter the IP address, an
address block, or a comma-separated list comprised of any combination of these. When the intrusion
policy is associated with the default action of an access control policy, you can also specify or list a
network variable in the default action variable set.
policy is associated with the default action of an access control policy, you can also specify or list a
network variable in the default action variable set.
For information on using IPv4 CIDR and IPv6 prefix length address blocks in the FireSIGHT System,
see
see
Step 4
Click
OK
.