Cisco Cisco Firepower Management Center 4000
21-27
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
•
Tip
You can also add suppressions from within the packet view of an intrusion event. See
for more information. You can also access suppression settings by using the
right-click context menu on the Rule Editor page and on any intrusion event page (if the event was
triggered by an intrusion rule).
triggered by an intrusion rule).
Suppressing Intrusion Events
License:
Protection
You can suppress intrusion event notification for a rule or rules. When notification is suppressed for a
rule, the rule triggers but events are not generated. You can set one or more suppressions for a rule. The
first suppression listed has the highest priority. Note that when two suppressions conflict, the action of
the first is carried out.
rule, the rule triggers but events are not generated. You can set one or more suppressions for a rule. The
first suppression listed has the highest priority. Note that when two suppressions conflict, the action of
the first is carried out.
Note that a revert icon (
) appears in a field when you type an invalid value; click it to revert to the
last valid value for that field or to clear the field if there was no previous value.
To suppress event display:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Manage Rules
.
The Rules page appears. By default, the page lists the rules alphabetically by message.
Step 4
Locate the rule or rules where you want to set suppression. You have the following options:
•
To sort the current display, click on a column heading or icon. To reverse the sort, click again.
•
Construct a filter by clicking on keywords or arguments in the filter panel on the left. For more
information, see the following topics:
information, see the following topics:
.
The page refreshes to display all matching rules.
Step 5
Select the rule or rules for which you want to configure suppression conditions. You have the following
options:
options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top of the column.
Step 6
Select
Event Filtering > Suppression
.
The suppression pop-up window appears.
Step 7
Select one of the following
Suppression Type
options: