Cisco Cisco FirePOWER Appliance 8130
21-20
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Setting Rule States
Step 7
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Setting Rule States
License:
Protection
The Cisco Vulnerability Research Team (VRT) sets the default state of each intrusion and preprocessor
rule in each default policy. For example, a rule may be enabled in the Security over Connectivity default
policy and disabled in the Connectivity over Security default policy. Intrusion policy rules you create
inherit the default states of the rules in the default policy you use to create your policy.
rule in each default policy. For example, a rule may be enabled in the Security over Connectivity default
policy and disabled in the Connectivity over Security default policy. Intrusion policy rules you create
inherit the default states of the rules in the default policy you use to create your policy.
You can set a rule to Generate Events, to Drop and Generate Events, or to Disable individually, or you
can filter the rules by a variety of factors to select the rules for which you want to modify the state. In
an inline deployment, you can use the Drop and Generate Events rule state in inline intrusion
deployments to drop malicious packets. Note that rules with the Drop and Generate Events rule state
generate events but do not drop packets in a passive deployment, including when a 3D9900 or Series 3
device inline interface set is in tap mode. Setting a rule to Generate Events or to Drop and Generate
Events enables the rule; setting the rule to Disable disables it.
can filter the rules by a variety of factors to select the rules for which you want to modify the state. In
an inline deployment, you can use the Drop and Generate Events rule state in inline intrusion
deployments to drop malicious packets. Note that rules with the Drop and Generate Events rule state
generate events but do not drop packets in a passive deployment, including when a 3D9900 or Series 3
device inline interface set is in tap mode. Setting a rule to Generate Events or to Drop and Generate
Events enables the rule; setting the rule to Disable disables it.
Consider two scenarios. In the first scenario, the rule state for a specific rule is set to Generate Events.
When a malicious packet crosses your network and triggers the rule, the packet is sent to its destination
and the system generates an intrusion event. In the second scenario, assume that the rule state for the
same rule is set to Drop and Generate Events in an inline deployment. In this case, when the malicious
packet crosses the network, the system drops the malicious packet and generates an intrusion event. The
packet never reaches its target.
When a malicious packet crosses your network and triggers the rule, the packet is sent to its destination
and the system generates an intrusion event. In the second scenario, assume that the rule state for the
same rule is set to Drop and Generate Events in an inline deployment. In this case, when the malicious
packet crosses the network, the system drops the malicious packet and generates an intrusion event. The
packet never reaches its target.
In an intrusion policy, you can set a rule’s state to one of the following settings:
•
Set the rule state to
Generate Events
if you want the system to detect a specific intrusion attempt and
generate an intrusion event when it finds matching traffic.
•
Set the rule state to
Drop and Generate Events
if you want the system to detect a specific intrusion
attempt, then drop the packet containing the attack and generate an intrusion event when it finds
matching traffic in an inline deployment, or to generate an intrusion event when it finds matching
traffic in a passive deployment, including when a 3D9900 or Series 3 device inline interface set is
in tap mode.
matching traffic in an inline deployment, or to generate an intrusion event when it finds matching
traffic in a passive deployment, including when a 3D9900 or Series 3 device inline interface set is
in tap mode.
Note that for the system to drop packets, your intrusion policy must be set to drop rules in an inline
deployment; see
deployment; see
for more information.
•
Set the rule state to
Disable
if you do not want the system to evaluate matching traffic.
To use drop rules, you must:
•
Enable the
Drop when Inline
option in your intrusion policy.
•
Set the rule state to
Drop and Generate Events
for any rules that should drop all packets that match the
rule.
•
Apply an access control policy that includes an access control rule that is associated with your
intrusion policy to a managed device that uses an inline set.
intrusion policy to a managed device that uses an inline set.
Filtering rules on the Rules page can help you find the rules you want to set as drop rules. For more
information, see
information, see
.
See
for information about rule anatomy, rule
keywords and their options, and rule writing syntax.