Cisco Cisco Firepower Management Center 4000
24-10
FireSIGHT System User Guide
Chapter 24 Using Performance Settings in an Intrusion Policy
Constraining Regular Expressions
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
Click
Edit
next to
Performance Statistics Configuration
under
Performance Settings
.
The Performance Statistics Configuration page appears.
Tip
You cannot disable the Performance Statistics Configuration advanced setting. This ensures that Support
can troubleshoot your system.
can troubleshoot your system.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration.
See
See
for more information.
Step 5
Optionally, you can modify any of the performance statistics options:
•
To specify the number of seconds for the system to wait since the last performance statistics update
before counting the number of packets that have been analyzed, modify the value for
before counting the number of packets that have been analyzed, modify the value for
Sample time
.
•
To specify the number of packets to analyze before updating performance statistics, modify the
value for
value for
Minimum number of packets
.
Step 6
Optionally, modify the troubleshooting options only if asked to do so by Support; click the
+
sign next
to
Troubleshooting Options
information.
Caution
Do not apply an access control policy that includes an intrusion policy with the
Log Session/Protocol
Distribution
troubleshooting option enabled unless directed to do so by Support.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Constraining Regular Expressions
License:
Protection
You can override default match and recursion limits on PCRE regular expressions that are used in
intrusion rules to examine packet payload content. See
intrusion rules to examine packet payload content. See
for information on using the PCRE keyword in intrusion rules. The default limits ensure a minimum level
of performance. Overriding these limits could increase security, but could also significantly impact
performance by permitting packet evaluation against inefficient regular expressions.
of performance. Overriding these limits could increase security, but could also significantly impact
performance by permitting packet evaluation against inefficient regular expressions.
Caution
Do not override default PCRE limits unless you are an experienced intrusion rule writer with knowledge
of the impact of degenerative patterns.
of the impact of degenerative patterns.
Note that when a rule that requires this feature is enabled in an intrusion policy where this feature is
disabled, you must enable the feature or choose to allow the system to enable it automatically before you
can save the policy. For more information, see
disabled, you must enable the feature or choose to allow the system to enable it automatically before you
can save the policy. For more information, see
.
The following table describes the options you can configure to override the default limits.