Cisco Cisco Firepower Management Center 4000

As shown in the diagram, the first five packets matching the rule do not generate events because the rule 
does not trigger until the rate exceeds the rate indicated by the 

detection_filter

 keyword. After the 

rule triggers, event notification begins, but the rate-based criteria do not trigger the new action of Drop 
and Generate Events until five more packets pass. 

After the rate-based criteria are met, events are generated and the packets are dropped until the 
rate-based timeout period expires and the rate falls below the threshold. After twenty seconds elapse, the 
rate-based action times out. After the timeout, note that packets are still dropped in the rate-based 
sampling period that follows. Because the sampled rate is above the threshold rate in the previous 
sampling period when the timeout happens, the rate-based action continues.

Note that although the example does not depict this, you can use the Drop and Generate Events rule state 
in combination with the 

detection_filter

 keyword to start dropping traffic when hits for the rule reach 

the specified rate. When deciding whether to configure rate-based settings for a rule, consider whether 
setting the rule to Drop and Generate Events and including the 

detection_filter

 keyword would 

achieve the same result, or whether you want to manage the rate and timeout settings in the intrusion 
policy. For more information, see 

Protection