Cisco Cisco Firepower Management Center 4000
21-19
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
You can also type a filter using the same keyword and argument syntax supplied when you select a filter,
or modify argument values in a filter after you select it. When you type in search terms without a
keyword, without initial capitalization of the keyword, or without quotes around the argument, the search
is treated as a string search and the category, message, and SID fields are searched for the specified
terms.
or modify argument values in a filter after you select it. When you type in search terms without a
keyword, without initial capitalization of the keyword, or without quotes around the argument, the search
is treated as a string search and the category, message, and SID fields are searched for the specified
terms.
To filter for specific rules in an intrusion policy:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy
.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Manage Rules
.
The Rules page appears. By default, the page lists the rules alphabetically by message.
Step 4
Construct a filter by clicking on keywords or arguments in the filter panel on the left. Note that if you
click an argument for a keyword already in the filter, it replaces the existing argument. See the following
for more information:
click an argument for a keyword already in the filter, it replaces the existing argument. See the following
for more information:
•
•
•
•
•
The page refreshes to display all matching rules, and the number of rules matching the filter is displayed
above the filter text box.
above the filter text box.
Step 5
Select the rule or rules where you want to apply a new setting. You have the following options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top of the column.
Step 6
Optionally, make any changes to the rule that you would normally make on the page. See the following
sections for more information:
sections for more information:
•
See
for information on enabling and disabling rules on the Rules
page.
•
See
for information on adding
thresholding and suppression to rules.
•
See
for information on setting dynamic rule states that
trigger when rate anomalies occur in matching traffic.
•
See
for information on adding SNMP alerts to specific rules.
•
See
for more information on adding rule comments to rules.