Cisco Cisco Firepower Management Center 4000
21-28
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Intrusion Event Notification Per Policy
•
Select
Rule
to completely suppress events for a selected rule.
•
Select
Source
to suppress events generated by packets originating from a specified source IP address.
•
Select
Destination
to suppress events generated by packets going to a specified destination IP address.
Step 8
If you selected
Source
or
Destination
for the suppression type, in the
Network
field enter the IP address,
address block, or variable you want to specify as the source or destination IP address, or a
comma-separated list comprised of any combination of these.
comma-separated list comprised of any combination of these.
For information on using IPv4 CIDR and IPv6 prefix length address blocks in the FireSIGHT System,
see
see
Step 9
Click
OK
.
The system adds your suppression conditions and displays an event filter icon (
) next to the rule in
the Event Filtering column next the suppressed rule. If you add multiple event filters to a rule, a number
over the icon indicates the number of event filters.
over the icon indicates the number of event filters.
Step 10
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Viewing and Deleting Suppression Conditions
License:
Protection
You may want to view or delete an existing suppression condition. For example, you can suppress event
notification for packets originating from a mail server IP address because the mail server normally
transmits packets that look like exploits. If you then decommission that mail server and reassign the IP
address to another host, you should delete the suppression conditions for that source IP address.
notification for packets originating from a mail server IP address because the mail server normally
transmits packets that look like exploits. If you then decommission that mail server and reassign the IP
address to another host, you should delete the suppression conditions for that source IP address.
To view or delete a defined suppression condition:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Manage Rules
.
The Rules page appears. By default, the page lists rules alphabetically by message.
Step 4
Locate the rule or rules where you want to view or delete suppressions. You have the following options:
•
To sort the current display, click on a column heading or icon. To reverse the sort, click again.
•
Construct a filter by clicking on keywords or arguments in the filter panel on the left. For more
information, see the following topics:
information, see the following topics:
.
The page refreshes to display all matching rules.