Cisco Cisco Firepower Management Center 4000

Do not modify the protocol for a shared object rule; doing so would render the rule ineffective.

Admin/Intrusion Admin

Select 

.

The Rule Editor page appears.

Locate the rule or rules you want to modify. You have the following options:

To locate rules by browsing rule categories, navigate through the folders to the rule you want and 
click the edit icon (

) next to the rule.

To locate rules by searching for them, enter the search criteria (most simply, the SID) for the rule or 
rules you want and click 

. Click a rule returned by the search as appropriate. See 

 for more information.

To locate a rule or rules by filtering the rules displayed on the page, enter a rule filter in the text box 
indicated by the filter icon (

) at the upper left of the rule list. Navigate to the rule you want and 

click the edit icon (

) next to the rule. See 

for more information.

The rule editor opens, displaying the rule you selected.

Note that if you select a shared object rule, the rule editor displays only the rule header information. A 
shared object rule can be identified on the Rule Editor page by a listing that begins with the number 3 
(the GID), for example, 3:1000004.

Make any modifications to the rule (see 

 for more information about rule 

options) and click 

.

The rule is saved to the local rule category. 

If you want to use the local modification of the rule instead of the system rule, deactivate the system rule 
by using the procedures at 

 and activate the local rule.

Activate the intrusion policy by applying it as part of an access control policy as described in 

 to apply your changes.

Protection

You can add comments to any intrusion rule. This allows you to provide additional context and 
information about the rule and the exploit or policy violation it identifies.

Admin/Intrusion Admin

Select 

.