Cisco Cisco Firepower Management Center 4000
21-13
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
Understanding Rule Configuration Filters
License:
Protection
You can filter the rules listed in the Rules page by several rule configuration settings. For example, if
you want to view the set of rules whose rule state does not match the recommended rule state, you can
filter on rule state by selecting
you want to view the set of rules whose rule state does not match the recommended rule state, you can
filter on rule state by selecting
Does not match recommendation
.
When you select a keyword by clicking on a node in the criteria list, a pop-up window appears, where
you supply the argument you want to filter by.
you supply the argument you want to filter by.
If that keyword is already used in the filter, the argument you supply replaces the existing argument for
that keyword.
that keyword.
For example, if you click
Drop and Generate Events
under
Rule Configuration > Recommendation
in the filter
panel,
Recommendation:"Drop and Generate Events"
is added to the filter text box. If you then click
Generate Events
under
Rule Configuration > Recommendation
, the filter changes to
Recommendation:"Generate Events"
.
See the following procedures for more information on the rule configuration settings you can use to
filter.
filter.
To use the Rule State filter:
Access:
Admin/Intrusion Admin
Step 1
Under
Rule Configuration
, click
Rule State
.
Step 2
Select the rule state to filter by:
•
To find rules that only generate events, select
Generate Events
, and click
OK
.
•
To find rules that are set to generate events and drop the matching packet, select
Drop and Generate
Events
, and click
OK
.
•
To find disabled rules, select
Disabled
, and click
OK
.
•
To find rules whose rule state does not match the recommended state, select
Does not match
recommendation
, and click
OK
.
Priority
Finds rules according to high, medium, and
low priorities.
low priorities.
The classification assigned to a rule determines
its priority. These groups are further grouped
into rule categories. Note that local rules (that
is, rules that you create) do not appear in the
priority groups.
its priority. These groups are further grouped
into rule categories. Note that local rules (that
is, rules that you create) do not appear in the
priority groups.
Yes
A keyword
arguments
Note that if you
pick one of the
items from the
sub-list, it adds a
modifier to the
argument.
pick one of the
items from the
sub-list, it adds a
modifier to the
argument.
Rule Update
Finds rules added or modified through a
specific rule update. For each rule update, view
all rules in the update, only new rules imported
in the update, or only existing rules changed by
the update.
specific rule update. For each rule update, view
all rules in the update, only new rules imported
in the update, or only existing rules changed by
the update.
No
A keyword
arguments
Table 21-4
Rule Filter Groups (continued)
Filter Group
Description
Multiple
Argument
Support?
Argument
Support?
Heading is...
Items in List are...