Cisco Cisco FirePOWER Appliance 7030
C H A P T E R
21-1
FireSIGHT System User Guide
21
Managing Rules in an Intrusion Policy
You can use the Rules page in an intrusion policy to configure rule states and other settings for shared
object rules, standard text rules, and preprocessor rules.
object rules, standard text rules, and preprocessor rules.
You enable a rule by setting its rule state to Generate Events or to Drop and Generate Events. Enabling
a rule causes the system to generate events on traffic matching the rule. Disabling a rule stops processing
of the rule. Optionally, you can set your intrusion policy so that a rule set to Drop and Generate Events
in an inline deployment generates events on, and drops, matching traffic. See
a rule causes the system to generate events on traffic matching the rule. Disabling a rule stops processing
of the rule. Optionally, you can set your intrusion policy so that a rule set to Drop and Generate Events
in an inline deployment generates events on, and drops, matching traffic. See
for more information. In a passive deployment, a rule set to Drop and
Generate Events just generates events on matching traffic.
You can filter rules to display a subset of rules, enabling you to select the exact set of rules where you
want to change rule states or rule settings.
want to change rule states or rule settings.
You can generate rule state recommendations based on vulnerabilities associated with the hosts and
applications on your network and, optionally, update rules to reflect the recommended states.
applications on your network and, optionally, update rules to reflect the recommended states.
See the following sections for more information:
•
describes the intrusion rules and
preprocessor rules you can view and configure in an intrusion policy.
•
describes how you can change the order of rules on
the Rules page, interpret the icons on the page, and focus in on rule details.
•
describes how you can use rule filters to find the
rules for which you want to apply rule settings.
•
describes how to enable and disable rules from the Rules page.
•
explains how to set event filtering
thresholds for specific rules and set suppression on specific rules.
•
explains how to set rule states that trigger dynamically
when rate anomalies are detected in matching traffic.
•
describes how to associate SNMP alerts with specific rules.
•
explains how to enable preprocessors and
other advanced features required by rules when those rules are set to Generate Events or Drop and
Generate Events.
Generate Events.
•
describes how to add comments to rules in an intrusion policy.
•
describes how to generate rule
state recommendations based on vulnerabilities associated with the hosts and applications on your
network.
network.