Cisco Cisco Firepower Management Center 4000
39-8
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Generator ID
Select one or more preprocessors. See
for more information about available preprocessors.
Impact Flag
Select the impact level assigned to the intrusion event. You select any of the following along
with operators that specify
with operators that specify
is
,
is not
,
is greater than
, and so on:
•
0 — gray (Unknown)
•
1 — red (Vulnerable)
•
2 — orange (Potentially Vulnerable)
•
3 — yellow (Currently Not Vulnerable)
•
4 — blue (Unknown Target)
Note
Because there is no operating system information available for hosts added to the
network map based on NetFlow data, the Defense Center cannot assign Vulnerable
(level 1: red) impact levels for intrusion events involving those hosts, unless you use
the host input feature to manually set the host operating system identity.
network map based on NetFlow data, the Defense Center cannot assign Vulnerable
(level 1: red) impact levels for intrusion events involving those hosts, unless you use
the host input feature to manually set the host operating system identity.
For more information, see
.
Inline Result
Select either:
•
dropped
, to specify whether the packet was dropped in an inline, switched, or routed
deployment
•
would have dropped
, to specify whether the packet would have dropped if the intrusion
policy had been set to drop packets in an inline, switched, or routed deployment
Note that the system does not drop packets in a passive deployment, including when an
inline set is in tap mode, regardless of the rule state or the drop behavior of the intrusion
policy. For more information, see
inline set is in tap mode, regardless of the rule state or the drop behavior of the intrusion
policy. For more information, see
, and
Intrusion Policy
Select one or more intrusion policies that generated the intrusion event.
IOC Tag
Select whether an IOC tag
is
or
is not
set as a result of the intrusion event.
Priority
Select the rule priority:
low
,
medium
, or
high
.
For rule-based intrusion events, the priority corresponds to either the value of the
priority
keyword or the value for the
classtype
keyword. For other intrusion events, the priority is
determined by the decoder or preprocessor.
Protocol
Rule Message
Type all or part of the rule message.
Rule SID
Type a single Snort ID number (SID) or multiple SIDs separated by commas.
Note
If you choose
is in
or
is not in
as the operator, you cannot use the multi-selection
pop-up window. You must type a comma-separated list of SIDs.
Rule Type
Specify whether the rule is or is not local. Local rules include custom standard text intrusion
rules, standard text rules that you modified, and any new instances of shared object rules
created when you saved the rule with modified header information. For more information,
see
rules, standard text rules that you modified, and any new instances of shared object rules
created when you saved the rule with modified header information. For more information,
see
.
Table 39-2
Syntax for Intrusion Events (continued)
If you specify...
Select an operator, then...