Cisco Cisco Firepower Management Center 4000
C H A P T E R
30-1
FireSIGHT System User Guide
30
Using Global Rule Thresholding
You can use thresholds to limit the number of times the system logs and displays intrusion events.
Thresholds cause the system to generate events based on how many times traffic matching a rule
originates from or is targeted to a specific address or address range within a specified time period. This
can prevent you from being overwhelmed with a large number of events.
Thresholds cause the system to generate events based on how many times traffic matching a rule
originates from or is targeted to a specific address or address range within a specified time period. This
can prevent you from being overwhelmed with a large number of events.
You can set event notification thresholds in two ways:
•
You can set a global threshold across all traffic to limit how often events from a specific source or
destination are logged and displayed per specified time period. For more information, see
destination are logged and displayed per specified time period. For more information, see
and
.
•
You can set thresholds per shared object rule, standard text rule, or preprocessor rule in your
intrusion policy configuration, as described in
intrusion policy configuration, as described in
.
Understanding Thresholding
License:
Protection
By default, every intrusion policy contains a global rule threshold. The default threshold limits event
generation for each rule to one event every 60 seconds on traffic going to the same destination. This
global threshold applies by default to all intrusion rules and preprocessor rules. Note that you can disable
the threshold in the Advanced Settings page in an intrusion policy.
generation for each rule to one event every 60 seconds on traffic going to the same destination. This
global threshold applies by default to all intrusion rules and preprocessor rules. Note that you can disable
the threshold in the Advanced Settings page in an intrusion policy.
You can also override this threshold by setting individual thresholds on specific rules. For example, you
might set a global limit threshold of five events every 60 seconds, but then set a specific threshold of ten
events for every 60 seconds for SID 1315. All other rules generate no more than five events in each 60
second period, but the system generates up to ten events for each 60 second period for SID 1315.
might set a global limit threshold of five events every 60 seconds, but then set a specific threshold of ten
events for every 60 seconds for SID 1315. All other rules generate no more than five events in each 60
second period, but the system generates up to ten events for each 60 second period for SID 1315.
For more information on setting rule-based thresholds, see
.
Tip
A global or individual threshold on a managed device with multiple CPUs may result in a higher number
of events than expected.
of events than expected.
The following diagram shows an example where an attack is in progress for a specific rule. A global limit
threshold limits event generation for each rule to two events every 20 seconds.
threshold limits event generation for each rule to two events every 20 seconds.
Note that the period starts at one second and ends at 21 seconds. After the period ends, note that the cycle
starts again and the next two rule matches generate events, then the system does not generate any more
events during that period.
starts again and the next two rule matches generate events, then the system does not generate any more
events during that period.