Cisco Cisco Firepower Management Center 4000
21-23
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
Next, you must specify the tracking, which determines whether the event threshold is calculated per
source or destination IP address. Select one of the options from the following table to specify how the
system tracks event instances.
source or destination IP address. Select one of the options from the following table to specify how the
system tracks event instances.
Finally, you must specify the number of instances and time period that define the threshold.
Table 21-6
Thresholding Options
Option
Description
Limit
Logs and displays events for the specified number of packets (specified by the Count argument) that
trigger the rule during the specified time period. For example, if you set the type to
trigger the rule during the specified time period. For example, if you set the type to
Limit
, the
Count
to
10
, and the
Seconds
to
60
, and 14 packets trigger the rule, the system stops logging events for the rule
after displaying the first 10 that occur within the same minute.
Threshold
Logs and displays a single event when the specified number of packets (specified by the Count
argument) trigger the rule during the specified time period. Note that the counter for the time restarts
after you hit the threshold count of events and the system logs that event. For example, you set the
type to
argument) trigger the rule during the specified time period. Note that the counter for the time restarts
after you hit the threshold count of events and the system logs that event. For example, you set the
type to
Threshold
,
Count
to
10
, and
Seconds
to
60
, and the rule triggers 10 times by second 33. The
system generates one event, then resets the Seconds and Count counters to 0. The rule then triggers
another 10 times in the next 25 seconds. Because the counters reset to 0 at second 33, the system logs
another event.
another 10 times in the next 25 seconds. Because the counters reset to 0 at second 33, the system logs
another event.
Both
Logs and displays an event once per specified time period, after the specified number (count) of
packets trigger the rule. For example, if you set the type to
packets trigger the rule. For example, if you set the type to
Both
,
Count
to two, and
Seconds
to
10
, the
following event counts result:
•
If the rule is triggered once in 10 seconds, the system does not generate any events (the threshold
is not met)
is not met)
•
If the rule is triggered twice in 10 seconds, the system generates one event (the threshold is met
when the rule triggers the second time)
when the rule triggers the second time)
•
If the rule is triggered four times in 10 seconds, the system generates one event (the threshold is
met when the rule triggers the second time, and following events are ignored)
met when the rule triggers the second time, and following events are ignored)
Table 21-7
Thresholding IP Options
Option
Description
Source
Calculates event instance count per source IP address.
Destination
Calculates event instance count per destination IP address.
Table 21-8
Thresholding Instance/Time Options
Option
Description
Count
The number of event instances per specified time period per tracking IP address required to meet the
threshold.
threshold.
Seconds
The number of seconds that elapse before the count resets. If you set the threshold type to
limit
, the
tracking to
Source IP
, the
count
to
10
, and the
seconds
to
10
, the system logs and displays the first 10
events that occur in 10 seconds from a given source port. If only 7 events occur in the first 10 seconds,
the system logs and displays those; if 40 events occur in the first 10 seconds, the system logs and
displays 10, then begins counting again when the 10-second time period elapses.
the system logs and displays those; if 40 events occur in the first 10 seconds, the system logs and
displays 10, then begins counting again when the 10-second time period elapses.