Cisco Cisco FirePOWER Appliance 7030
31-8
FireSIGHT System User Guide
Chapter 31 Configuring External Alerting for Intrusion Rules
Understanding Email Alerting
Summary Output
Enables or disables brief email alerting, which is suitable for text-limited devices such as pagers.
Brief email alerts contain:
Brief email alerts contain:
–
event timestamp
–
for Defense Centers, the IP address for the device that generated the event
–
event protocol
–
source IP and port
–
destination IP and port
–
event message
–
the number of intrusion events generated against the same source IP
For example:
2011-05-18 10:35:10 10.1.1.100 icmp 10.10.10.1:8 -> 10.2.1.3:0
snort_decoder: Unknown Datagram decoding problem! (116:108)
Email Alerting on Specific Rules Configuration
Specifies the rules or rule groups whose events you want mailed to the specified email address or
addresses.
addresses.
For information about configuring email alerting, see
.
Configuring Email Alerting
License:
Protection
You can configure email alerting so that your appliance notifies you whenever an intrusion event occurs
for an specific rule or rule group.
for an specific rule or rule group.
Before you can receive email alerts, you must:
•
configure your mail host to receive email alerts (see
)
•
make sure that both the managed device and the Defense Center can reverse resolve their own IP
addresses
addresses
To configure email alerting options:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Email
.
The Email Alerting page appears.
Step 2
Next to
State
, select
on
to enable email alerting.
Step 3
In the
From Address
field, type the address you want to display in the From field in the email alerts.
Step 4
In the
To Address
field, type the address where you want to receive the email alerts.
Step 5
In the
Max Alerts
field, type the maximum number of events you want included in a single email.
Step 6
In the
Min Frequency
field, type the number of seconds for the minimum frequency with which you want
to receive email alerts.
Step 7
To group events by IP address, next to
Coalesce Alerts
, select
on
.