для Cisco Cisco Firepower Management Center 4000
21-15
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
To use the Dynamic State filter:
Access:
Admin/Intrusion Admin
Step 1
Under
Rule Configuration
, click
Dynamic State
.
Step 2
Select the suppression setting to filter by:
•
To find rules where a dynamic state is configured for packets inspected by that rule, select
Rule
, and
click
OK
.
•
To find rules where a dynamic state is configured for packets based on the source of the traffic, select
Source
, and click
OK
.
•
To find rules where a dynamic state is configured based on the destination of the traffic, select
Destination
, and click
OK
.
•
To find rules where a dynamic state of
Generate Events
is configured, select
Generate Events
, and
click
OK
.
•
To find rules where a dynamic state of
Drop and Generate Events
is configured, select
Drop and
Generate Events
, and click
OK
.
•
To find where a dynamic state of
Disabled
is configured, select
Disabled
, and click
OK
.
•
To find any rule with suppression set, select
All
, and click
OK
.
The Rules page updates to display rules where the dynamic rule state indicated in the filter has been
applied to the rule.
applied to the rule.
To use the Comment filter:
Access:
Admin/Intrusion Admin
Step 1
Under
Rule Configuration
, click
Comment
.
Step 2
Type the string of comment text to filter by.
The Rules page updates to display rules where comments applied to the rule contain the string indicated
in the filter.
in the filter.
Understanding Rule Content Filters
License:
Protection
You can filter the rules listed in the Rules page by several rule content items. For example, you can
quickly retrieve a rule by searching for the rule SID. You can also find all rules that inspect traffic going
to a specific destination port.
quickly retrieve a rule by searching for the rule SID. You can also find all rules that inspect traffic going
to a specific destination port.
When you select a keyword by clicking on a node in the criteria list, a pop-up window appears, where
you supply the argument you want to filter by.
you supply the argument you want to filter by.
If that keyword is already used in the filter, the argument you supply replaces the existing argument for
that keyword.
that keyword.
For example, if you click
SID
under
Rule Content
in the filter panel, a pop-up window appears, prompting
you to supply a SID. If you type
1045
, then
SID:”1045”
is added to the filter text box. If you then click
SID
again and change the SID filter to
1044
, the filter changes to
SID:”1044”
.