Cisco Cisco Firepower Management Center 4000
21-37
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Managing FireSIGHT Rule State Recommendations
Lists of addresses within the hosts that you specify are linked with an OR operation except for negations,
which are linked with an AND operation after all OR operations are calculated.
which are linked with an AND operation after all OR operations are calculated.
Understanding Rule Overhead
License:
Protection
Cisco rates the overhead of each intrusion rule as none, low, medium, high, or very high based on the
rule’s potential impact on system performance and the likelihood that the rule may generate false
positives. You can view the overhead rating for a rule in the rule detail view on the Rules page. See
rule’s potential impact on system performance and the likelihood that the rule may generate false
positives. You can view the overhead rating for a rule in the rule detail view on the Rules page. See
for more information.
You can set the system to make rule state recommendations based on all rules up to and including a
specified overhead rating, except for very high. You must manually set the rule state for any rule with a
very high overhead rating. For example, when you generate recommendations for rules with medium
overhead, the system makes recommendations based on all rules with an overhead rating of none, low,
or medium, and does not make any recommendations for rules with high or very high overhead.
specified overhead rating, except for very high. You must manually set the rule state for any rule with a
very high overhead rating. For example, when you generate recommendations for rules with medium
overhead, the system makes recommendations based on all rules with an overhead rating of none, low,
or medium, and does not make any recommendations for rules with high or very high overhead.
Note that the system factors rule overhead into recommendations to generate events or to drop and
generate events. The system does not factor rule overhead into recommendations to disable rules. Note
also that local rules have no overhead, unless they are mapped to a third-party vulnerability. See
generate events. The system does not factor rule overhead into recommendations to disable rules. Note
also that local rules have no overhead, unless they are mapped to a third-party vulnerability. See
more information.
Generating recommendations for rules with the overhead rating at a particular setting does not preclude
you from generating recommendations with different overhead, then generating recommendations again
for the original overhead setting. You get the same rule state recommendations for each overhead setting
each time you generate recommendations for the same rule set, regardless of the number of times you
generate recommendations or with how many different overhead settings you generate. For example, you
can generate recommendations with overhead set to medium, then to high, then to very high, and then to
medium again and, if the hosts and applications on your network have not changed, both sets of
recommendations with overhead set to medium will be the same for that rule set.
you from generating recommendations with different overhead, then generating recommendations again
for the original overhead setting. You get the same rule state recommendations for each overhead setting
each time you generate recommendations for the same rule set, regardless of the number of times you
generate recommendations or with how many different overhead settings you generate. For example, you
can generate recommendations with overhead set to medium, then to high, then to very high, and then to
medium again and, if the hosts and applications on your network have not changed, both sets of
recommendations with overhead set to medium will be the same for that rule set.
Using FireSIGHT Recommendations
License:
FireSIGHT + Protection
You can generate recommendations with or without using the recommended rule states, and with or
without modifying the advanced settings for generating recommendations. See
without modifying the advanced settings for generating recommendations. See
and
for more information.
After generating recommendations, you can use the recommended rule states; you can also view
recommended states and use any features available on the Rules page.
recommended states and use any features available on the Rules page.
To use FireSIGHT rule state recommendations:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy
.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.