Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
773
Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
Chapter 20
5. Select the rule or rules where you want to set the rule state. You have the
following options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top
of the column.
6. You have the following options:
•
To generate events when traffic matches the selected rules, select Rule
State > Generate Events.
•
To generate events and drop the traffic in inline deployments when
traffic matches the selected rules, select Rule State > Drop and Generate
Events.
•
To not inspect traffic matching the selected rules, select Rule State >
Disable.
IMPORTANT!
Sourcefire strongly recommends that you do not enable all
the intrusion rules in an intrusion policy. The performance of your managed
device is likely to degrade if all the rules are enabled. Instead, tune your rule
set to match your network environment as closely as possible.
7. Save your policy, continue editing, discard your changes, or exit while leaving
your changes in the system cache. See the
on page 722 for more information.
Filtering Intrusion Event Notification Per Policy
L
ICENSE
: Protection
The importance of an intrusion event can be based on frequency of occurrence,
or source or destination IP address. In some cases you may not care about an
event until it has occurred a certain number of times. For example, you may not
be concerned if someone attempts to log into a server until they fail a certain
number of times. In other cases, you may only need to see a few occurrences to
know there is a widespread problem. For example, if a DoS attack is launched
against your web server, you may only need to see a few occurrences of an
intrusion event to know that you need to address the situation. Seeing hundreds
of the same event only overwhelms your system.
See the following sections for more information:
See the following sections for more information:
•
on page 774 explains how to set thresholds
that dictate how often (based on the number of occurrences) an event is
displayed. You can configure thresholding per event, per policy.
•
on page 780 explains how to
suppress notification of specified events per source or destination IP
address per policy.