Cisco Cisco Firepower Management Center 4000
21-26
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Manage Rules
.
The Rules page appears. By default, the page lists the rules alphabetically by message.
Step 4
Locate the rule or rules that have a configured threshold you want to view or delete. You have the
following options:
following options:
•
To sort the current display, click on a column heading or icon. To reverse the sort, click again.
•
Construct a filter by clicking on keywords or arguments in the filter panel on the left. For more
information, see the following topics:
information, see the following topics:
.
The page refreshes to display all matching rules.
Step 5
Select the rule or rules with a configured threshold you want to view or delete. You have the following
options:
options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top of the column.
Step 6
To remove the threshold for each selected rule, select
Event Filtering > Remove Thresholds.
Click
OK
in the
confirmation pop-up window that appears.
Tip
To remove a specific threshold, you can also highlight the rule and click
Show details
. Expand the
threshold settings and click
Delete
next to the threshold settings. Click
OK
to confirm that you want to
delete the configuration.
The page refreshes and the threshold is deleted.
Step 7
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Configuring Suppression Per Intrusion Policy
License:
Protection
You can suppress intrusion event notification when a specific IP address or range of IP addresses triggers
a specific rule or preprocessor. This is useful for eliminating false positives. For example, if you have a
mail server that transmits packets that look like a specific exploit, you can suppress event notification
for that event when it is triggered by your mail server. The rule triggers for all packets, but you only see
events for legitimate attacks.
a specific rule or preprocessor. This is useful for eliminating false positives. For example, if you have a
mail server that transmits packets that look like a specific exploit, you can suppress event notification
for that event when it is triggered by your mail server. The rule triggers for all packets, but you only see
events for legitimate attacks.
Note that you can use intrusion event suppression alone or in any combination with rate-based attack
prevention, the
prevention, the
detection_filter
keyword, and intrusion event thresholding. See
for more information.
See the following sections for more information:
•