Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

639

Introduction to Sourcefire Intrusion Prevention

The Benefits of Custom Intrusion Policies

Chapter 16

Additionally, within each intrusion policy, you can tune rules in the following ways:

Improve performance by using fewer rules; disable rules that are not 

applicable to your environment.

Verify that all rules applicable to your environment are enabled.

For inline deployments, specify which rules should drop malicious packets 

from the packet stream.

You can use network discovery to identify the operating systems on 

your network. This allows you to more easily identify which rules are 

applicable to your environment.

Within the intrusion policy, you can also set suppression levels and thresholds to 

control how frequently you are notified of intrusion events. You can choose to 

suppress event notifications and set thresholds for individual rules or entire 

intrusion policies. For more information, see 

 on page 678, 

page 680, and 

 on page 773.

Specifying the protocol analysis, data normalization, and traffic inspection 

performed by the system and saving this configuration as a whole allows you to 

control the kind of information the system provides you to best meet your 

enterprise security needs. It also provides a simple mechanism for changing as 

much or little of your policy as needed to continue to detect new attacks and 

exploits. 
You can also tune rules in the following ways:

Modify existing rules, if necessary, using the rule editor to correspond the 

rules to your network infrastructure.

Write new standard text rules as needed using the Snort language and the 

rule editor to catch new exploits or to enforce your security policies.

For details on rule keywords, their arguments and syntax, and how to tune your 

rule set, see 

 on page 1073.