Cisco Cisco Firepower Management Center 4000
21-8
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Viewing Rules in an Intrusion Policy
The system adds your suppression conditions and displays an event filter icon (
) next to the rule in
the Event Filtering column next the suppressed rule. If you add multiple event filters to a rule, a number
over the icon indicates the number of filters.
over the icon indicates the number of filters.
Setting a Dynamic Rule State for a Rule
License:
Protection
You can set one or more dynamic rule states for a rule from the Rule Detail page. The first dynamic rule
state listed has the highest priority. Note that when two dynamic rule states conflict, the action of the
first is carried out. For more information on dynamic rule states, see
state listed has the highest priority. Note that when two dynamic rule states conflict, the action of the
first is carried out. For more information on dynamic rule states, see
Note that a revert icon (
) appears in a field when you type an invalid value; click it to revert to the
last valid value for that field or to clear the field if there was no previous value.
To set a dynamic rule state from the rule details:
Access:
Admin/Intrusion Admin
Step 1
Click
Add
next to Dynamic State.
The Add Rate-Based Rule State dialog box appears.
Step 2
Select the appropriate
Track By
option to indicate how you want the rule matches tracked:
•
Select
Source
to track the number of hits for that rule from a specific source or set of sources.
•
Select
Destination
to track the number of hits for that rule to a specific destination or set of
destinations.
•
Select
Rule
to track all matches for that rule.
Step 3
Optionally, when you set
Track By
to
Source
or
Destination
, enter the IP address of each host you want to
track in the
Network
field.
For information on using IPv4 CIDR and IPv6 prefix length notation in the FireSIGHT System, see
.
Step 4
Indicate the number of rule matches per time period to set the attack rate:
•
In the
Count
field, using an integer between 1 and 2147483647, specify the number of rule matches
you want to use as your threshold.
•
In the
Seconds
field, using an integer between 1 and 2147483647, specify the number of seconds that
make up the time period for which attacks are tracked.
Step 5
Select a
New State
radio button to specify the new action to be taken when the conditions are met:
•
Select
Generate Events
to generate an event.
•
Select
Drop and Generate Events
to generate an event and drop the packet that triggered the event in
inline deployments or to generate an event in passive deployments.
•
Select
Disabled
to take no action.
Step 6
In the
Timeout
field, using an integer between 1 and 2147483647 (approximately 68 years), type the
number of seconds you want the new action to remain in effect. After the timeout occurs, the rule reverts
to its original state. Specify
to its original state. Specify
0
to prevent the new action from timing out.
Step 7
Click
OK
.