Cisco Cisco Firepower Management Center 4000
24-12
FireSIGHT System User Guide
Chapter 24 Using Performance Settings in an Intrusion Policy
Rule Processing Configuration
Step 6
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Rule Processing Configuration
License:
Protection
When the rules engine evaluates traffic against rules, it places the events generated for a given packet or
packet stream in an event queue, then reports the top events in the queue to the user interface. You can
elect to have the rules engine log more than one event per packet or packet stream when multiple events
are generated. Logging these events allows you to collect information beyond the reported event. When
configuring this option, you can specify how many events can be placed in the queue and how many are
logged, and select the criteria for determining event order within the queue.
packet stream in an event queue, then reports the top events in the queue to the user interface. You can
elect to have the rules engine log more than one event per packet or packet stream when multiple events
are generated. Logging these events allows you to collect information beyond the reported event. When
configuring this option, you can specify how many events can be placed in the queue and how many are
logged, and select the criteria for determining event order within the queue.
The following table describes the options you can configure to determine how many events are logged
per packet or stream.
per packet or stream.
To configure how many events are logged per packet or stream:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Table 24-6
Rule Processing Configuration Options
Option
Description
Maximum Queued
Events
Events
The maximum number of events that can be stored for a given packet or
packet stream.
packet stream.
Logged Events
The number of events logged for a given packet or packet stream. This
cannot exceed the Max Events value.
cannot exceed the Max Events value.
Order Events By
The value used to determine event ordering within the event queue. The
highest ordered event is reported through the user interface. You can select
from:
highest ordered event is reported through the user interface. You can select
from:
•
priority, which orders events in the queue by the event priority.
•
content_length, which orders events by the longest identified content
match. When events are ordered by content length, rule events always
take precedence over decoder and preprocessor events.
match. When events are ordered by content length, rule events always
take precedence over decoder and preprocessor events.