Cisco Cisco FirePOWER Appliance 7010
21-29
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Adding Dynamic Rule States
Step 5
Select the rule or rules for which you want to view or delete suppressions. You have the following
options:
options:
•
To select a specific rule, select the check box next to the rule.
•
To select all rules in the current list, select the check box at the top of the column.
Step 6
You have two options:
•
To remove all suppression for a rule, select
Event Filtering > Remove Suppressions.
Click
OK
in the
confirmation pop-up window that appears.
•
To remove a specific suppression setting, highlight the rule and click
Show details
. Expand the
suppression settings and click
Delete
next to the suppression settings you want to remove. Click
OK
to confirm that you want to delete your selected settings.
The page refreshes and the suppression settings are deleted.
Step 7
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Adding Dynamic Rule States
License:
Protection
Rate-based attacks attempt to overwhelm a network or host by sending excessive traffic toward the
network or host, causing it to slow down or deny legitimate requests. You can use rate-based prevention
to change the action of a rule in response to excessive rule matches for specific rules.
network or host, causing it to slow down or deny legitimate requests. You can use rate-based prevention
to change the action of a rule in response to excessive rule matches for specific rules.
For more information, see the following sections:
•
•
Understanding Dynamic Rule States
License:
Protection
You can configure your intrusion policies to include a rate-based filter that detects when too many
matches for a rule occur in a given time period. You can use this feature on managed devices deployed
inline to block rate-based attacks for a specified time, then revert to a rule state where rule matches only
generate events and do not drop traffic.
matches for a rule occur in a given time period. You can use this feature on managed devices deployed
inline to block rate-based attacks for a specified time, then revert to a rule state where rule matches only
generate events and do not drop traffic.
Rate-based attack prevention identifies abnormal traffic patterns and attempts to minimize the impact of
that traffic on legitimate requests. You can identify excessive rule matches in traffic going to a particular
destination IP address or addresses or coming from a particular source IP address or addresses. You can
also respond to excessive matches for a particular rule across all detected traffic.
that traffic on legitimate requests. You can identify excessive rule matches in traffic going to a particular
destination IP address or addresses or coming from a particular source IP address or addresses. You can
also respond to excessive matches for a particular rule across all detected traffic.
In the intrusion policy, you can configure a rate-based filter for any intrusion or preprocessor rule. The
rate-based filter contains three components:
rate-based filter contains three components:
•
the rule matching rate, which you configure as a count of rule matches within a specific number of
seconds
seconds
•
a new action to be taken when the rate is exceeded, with three available actions: Generate Events,
Drop and Generate Events, and Disable
Drop and Generate Events, and Disable