Cisco Cisco Firepower Management Center 4000

Protection

The importance of an intrusion event can be based on frequency of occurrence, or source or destination 
IP address. In some cases you may not care about an event until it has occurred a certain number of times. 
For example, you may not be concerned if someone attempts to log into a server until they fail a certain 
number of times. In other cases, you may only need to see a few occurrences to know there is a 
widespread problem. For example, if a DoS attack is launched against your web server, you may only 
need to see a few occurrences of an intrusion event to know that you need to address the situation. Seeing 
hundreds of the same event only overwhelms your system. 

See the following sections for more information:

 explains how to set thresholds that dictate how often 

(based on the number of occurrences) an event is displayed. You can configure thresholding per 
event, per policy.

 explains how to suppress notification of 

specified events per source or destination IP address per policy.

Protection

You can set thresholds for individual rules per intrusion policy to limit the number of times the system 
logs and displays an intrusion event based on how many times the event is generated within a specified 
time period. This can prevent you from being overwhelmed with a large number of identical events. You 
can set thresholds per shared object rule, standard text rule, or preprocessor rule.

For more information, see the following sections:

Protection

First, you must specify the thresholding type. You can select from the options discussed in the following 
table.