Cisco Cisco Firepower Management Center 4000
21-30
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Adding Dynamic Rule States
•
the duration of the action, which you configure as a timeout value
Note that when started, the new action occurs until the timeout is reached, even if the rate falls below
the configured rate during that time period. When the timeout is reached, if the rate has fallen below the
threshold, the action for the rule reverts to that initially configured for the rule.
the configured rate during that time period. When the timeout is reached, if the rate has fallen below the
threshold, the action for the rule reverts to that initially configured for the rule.
You can configure rate-based attack prevention in an inline deployment to block attacks, either
temporarily or permanently. Without rate-based configuration, rules set to Generate Events do generate
events, but the system does not drop packets for those rules. However, if the attack traffic matches rules
that have rate-based criteria configured, the rate action may cause packet dropping to occur for the period
of time that the rate action is active, even if those rules are not initially set to Drop and Generate Events.
temporarily or permanently. Without rate-based configuration, rules set to Generate Events do generate
events, but the system does not drop packets for those rules. However, if the attack traffic matches rules
that have rate-based criteria configured, the rate action may cause packet dropping to occur for the period
of time that the rate action is active, even if those rules are not initially set to Drop and Generate Events.
Note
Rate-based actions cannot enable disabled rules or drop traffic that matches disabled rules.
You can define multiple rate-based filters on the same rule. The first filter listed in the intrusion policy
has the highest priority. Note that when two rate-based filter actions conflict, the action of the first
rate-based filter is carried out.
has the highest priority. Note that when two rate-based filter actions conflict, the action of the first
rate-based filter is carried out.
The following diagram shows an example where an attacker is attempting to access a host. Repeated
attempts to find a password trigger a rule which has rate-based attack prevention configured. The
rate-based settings change the rule attribute to Drop and Generate Events after rule matches occur five
times in a 10-second span. The new rule attribute times out after 15 seconds.
attempts to find a password trigger a rule which has rate-based attack prevention configured. The
rate-based settings change the rule attribute to Drop and Generate Events after rule matches occur five
times in a 10-second span. The new rule attribute times out after 15 seconds.
After the timeout, note that packets are still dropped in the rate-based sampling period that follows. If
the sampled rate is above the threshold in the current or previous sampling period, the new action
continues. The new action reverts to Generate Events only after a sampling period completes where the
sampled rate was below the threshold rate.
the sampled rate is above the threshold in the current or previous sampling period, the new action
continues. The new action reverts to Generate Events only after a sampling period completes where the
sampled rate was below the threshold rate.
Setting a Dynamic Rule State
License:
Protection
In some cases, you may not want to set a rule to the Drop and Generate Events state because you do not
want to drop every packet that matches the rule, but you do want to drop packets matching the rule if a
particular rate of matches occurs in a specified time. Dynamic rule states let you configure the rate that
should trigger a change in the action for a rule, what the action should change to when the rate is met,
and how long the new action should persist.
want to drop every packet that matches the rule, but you do want to drop packets matching the rule if a
particular rate of matches occurs in a specified time. Dynamic rule states let you configure the rate that
should trigger a change in the action for a rule, what the action should change to when the rate is met,
and how long the new action should persist.