Cisco Cisco FirePOWER Appliance 8250
21-22
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
Filtering Intrusion Event Notification Per Policy
License:
Protection
The importance of an intrusion event can be based on frequency of occurrence, or source or destination
IP address. In some cases you may not care about an event until it has occurred a certain number of times.
For example, you may not be concerned if someone attempts to log into a server until they fail a certain
number of times. In other cases, you may only need to see a few occurrences to know there is a
widespread problem. For example, if a DoS attack is launched against your web server, you may only
need to see a few occurrences of an intrusion event to know that you need to address the situation. Seeing
hundreds of the same event only overwhelms your system.
IP address. In some cases you may not care about an event until it has occurred a certain number of times.
For example, you may not be concerned if someone attempts to log into a server until they fail a certain
number of times. In other cases, you may only need to see a few occurrences to know there is a
widespread problem. For example, if a DoS attack is launched against your web server, you may only
need to see a few occurrences of an intrusion event to know that you need to address the situation. Seeing
hundreds of the same event only overwhelms your system.
See the following sections for more information:
•
explains how to set thresholds that dictate how often
(based on the number of occurrences) an event is displayed. You can configure thresholding per
event, per policy.
event, per policy.
•
explains how to suppress notification of
specified events per source or destination IP address per policy.
Configuring Event Thresholding
License:
Protection
You can set thresholds for individual rules per intrusion policy to limit the number of times the system
logs and displays an intrusion event based on how many times the event is generated within a specified
time period. This can prevent you from being overwhelmed with a large number of identical events. You
can set thresholds per shared object rule, standard text rule, or preprocessor rule.
logs and displays an intrusion event based on how many times the event is generated within a specified
time period. This can prevent you from being overwhelmed with a large number of identical events. You
can set thresholds per shared object rule, standard text rule, or preprocessor rule.
For more information, see the following sections:
•
•
•
•
Understanding Event Thresholding
License:
Protection
First, you must specify the thresholding type. You can select from the options discussed in the following
table.
table.