Cisco Cisco FirePOWER Appliance 8360
24-6
FireSIGHT System User Guide
Chapter 24 Using Performance Settings in an Intrusion Policy
Understanding Rule Latency Thresholding
The trade-off for the performance and latency benefits derived from latency thresholding is that
uninspected packets could contain attacks. However, rule latency thresholding gives you a tool you can
use to balance security with connectivity.
uninspected packets could contain attacks. However, rule latency thresholding gives you a tool you can
use to balance security with connectivity.
When you enable rule latency thresholding, a timer measures the processing time each time a packet is
processed against a group of rules. Any time the rule processing time exceeds a specified rule latency
threshold, the system increments a counter. If the number of consecutive threshold violations reaches a
specified number, the system takes the following actions:
processed against a group of rules. Any time the rule processing time exceeds a specified rule latency
threshold, the system increments a counter. If the number of consecutive threshold violations reaches a
specified number, the system takes the following actions:
•
suspends the rules for the specified period
•
triggers an event indicating the rules have been suspended
•
re-enables the rules when the suspension expires
•
triggers an event indicating the rules have been re-enabled
The system zeroes the counter when the group of rules has been suspended, or when rule violations are
not consecutive. Permitting some consecutive violations before suspending rules lets you ignore
occasional rule violations that might have negligible impact on performance and focus instead on the
more significant impact of rules that repeatedly exceed the rule latency threshold.
not consecutive. Permitting some consecutive violations before suspending rules lets you ignore
occasional rule violations that might have negligible impact on performance and focus instead on the
more significant impact of rules that repeatedly exceed the rule latency threshold.
The following example shows five consecutive rule processing times that do not result in rule
suspension.
suspension.
In the above example, the time required to process each of the first three packets violates the rule latency
threshold of 1000 microseconds, and the violations counter increments with each violation. Processing
of the fourth packet does not violate the threshold, and the violations counter resets to zero. The fifth
packet violates the threshold and the violations counter restarts at one.
threshold of 1000 microseconds, and the violations counter increments with each violation. Processing
of the fourth packet does not violate the threshold, and the violations counter resets to zero. The fifth
packet violates the threshold and the violations counter restarts at one.
The following example shows five consecutive rule processing times that do result in rule suspension.