Cisco Cisco Firepower Management Center 4000
21-31
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Adding Dynamic Rule States
You set the number of hits for that rule by specifying a count and the number of seconds within which
those hits should occur to trigger the action change. In addition, you can set a timeout to cause the action
to revert to the previous state for the rule when the timeout expires.
those hits should occur to trigger the action change. In addition, you can set a timeout to cause the action
to revert to the previous state for the rule when the timeout expires.
You can define multiple dynamic rule state filters for the same rule. The first filter listed in the rule
details in the intrusion policy has the highest priority. Note that when two rate-based filter actions
conflict, the action of the first rate-based filter is carried out.
details in the intrusion policy has the highest priority. Note that when two rate-based filter actions
conflict, the action of the first rate-based filter is carried out.
Note that a revert icon (
) appears in a field when you type an invalid value; click it to revert to the
last valid value for that field or to clear the field if there was no previous value.
Note
Dynamic rule states cannot enable disabled rules or drop traffic that matches disabled rules.
To add a dynamic rule state:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Rules
.
The Rules page appears.
Step 4
Locate the rule or rules where you want to add a dynamic rule state. You have the following options:
•
To sort the current display, click on a column heading or icon. To reverse the sort, click again.
•
Construct a filter by clicking on keywords or arguments in the filter panel on the left. For more
information, see the following topics:
information, see the following topics:
.
The page refreshes to display all matching rules.
Step 5
Select the rule or rules where you want to add a dynamic rule state. You have the following options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top of the column.
Step 6
Select
Dynamic State > Add Rate-Based Rule State
.
The Add Rate-Based Rule State dialog box appears.
Step 7
Select the appropriate
Track By
option to indicate how you want the rule matches tracked:
•
Select
Source
to track the number of hits for that rule from a specific source or set of sources.
•
Select
Destination
to track the number of hits for that rule to a specific destination or set of
destinations.
•
Select
Rule
to track all matches for that rule.
Step 8
When you set
Track By
to
Source
or
Destination
, enter the address of each host you want to track in the
Network
field.