Cisco Cisco Firepower Management Center 4000
24-7
FireSIGHT System User Guide
Chapter 24 Using Performance Settings in an Intrusion Policy
Understanding Rule Latency Thresholding
In the second example, the time required to process each of the five packets violates the rule latency
threshold of 1000 microseconds. The group of rules is suspended because the rule processing time of
1100 microseconds for each packet violates the threshold of 1000 microseconds for the specified five
consecutive violations. Any subsequent packets, represented in the figure as packets 6 through n, are not
examined against suspended rules until the suspension expires. If more packets occur after the rules are
re-enabled, the violations counter begins again at zero.
threshold of 1000 microseconds. The group of rules is suspended because the rule processing time of
1100 microseconds for each packet violates the threshold of 1000 microseconds for the specified five
consecutive violations. Any subsequent packets, represented in the figure as packets 6 through n, are not
examined against suspended rules until the suspension expires. If more packets occur after the rules are
re-enabled, the violations counter begins again at zero.
Rule latency thresholding has no effect on intrusion events triggered by the rules processing the packet.
A rule triggers an event for any intrusion detected in the packet, regardless of whether the rule processing
time exceeds the threshold. If the rule detecting the intrusion is a drop rule in an inline deployment, the
packet is dropped. When a drop rule detects an intrusion in a packet that results in the rule being
suspended, the drop rule triggers an intrusion event, the packet is dropped, and that rule and all related
rules are suspended. For more information on drop rules, see
A rule triggers an event for any intrusion detected in the packet, regardless of whether the rule processing
time exceeds the threshold. If the rule detecting the intrusion is a drop rule in an inline deployment, the
packet is dropped. When a drop rule detects an intrusion in a packet that results in the rule being
suspended, the drop rule triggers an intrusion event, the packet is dropped, and that rule and all related
rules are suspended. For more information on drop rules, see
.
Note
Packets are not evaluated against suspended rules. A suspended rule that would have triggered an event
cannot trigger that event and, for drop rules, cannot drop the packet.
cannot trigger that event and, for drop rules, cannot drop the packet.
Rule latency thresholding can improve system performance in both passive and inline deployments, and
can reduce latency in inline deployments, by suspending rules that take the most time to process packets.
Packets are not evaluated again against suspended rules until a configurable time expires, giving the
overloaded device time to recover. These performance benefits might occur when, for example:
can reduce latency in inline deployments, by suspending rules that take the most time to process packets.
Packets are not evaluated again against suspended rules until a configurable time expires, giving the
overloaded device time to recover. These performance benefits might occur when, for example:
•
hastily written, largely untested rules require an excessive amount of processing time
•
a period of poor network performance, such as when someone downloads an extremely large file,
causes slow packet inspection
causes slow packet inspection
See the following sections for more information:
•
•
.
Setting Rule Latency Thresholding Options
License:
Protection
When enabled, rule latency thresholding suspends rules for the time specified by
Suspension Time
when
the time rules take to process a packet exceeds
Threshold
for the consecutive number of times specified
by
Consecutive Threshold Violations Before Suspending Rule
.
You can enable rule 134:1 to generate an event when rules are suspended, and rule 134:2 to generate an
event when suspended rules are enabled. See
event when suspended rules are enabled. See
and
for more information.
The following table further describes the options you can set to configure rule latency thresholding.
Table 24-3
Rule Latency Thresholding Options
Option
Description
Threshold
Specifies the time in microseconds that rules should not exceed when examining a
packet. See the
packet. See the
minimum threshold settings.