Cisco Cisco Firepower Management Center 2000
21-32
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Adding Alerts
You can specify a single IP address, address block, variable, or a comma-separated list comprised of any
combination of these. For information on using IPv4 CIDR and IPv6 prefix length address blocks in the
FireSIGHT System, see
combination of these. For information on using IPv4 CIDR and IPv6 prefix length address blocks in the
FireSIGHT System, see
Step 9
Indicate the number of rule matches per time period to set the attack rate:
•
In the
Count
field, using an integer between 1 and 2147483647, specify the number of rule matches
you want to use as your threshold.
•
In the
Seconds
field, using an integer between 1 and 2147483647, specify the number of seconds that
make up the time period for which attacks are tracked.
Step 10
Select a
New State
radio button to specify the new action to be taken when the conditions are met:
•
Select
Generate Events
to generate an event.
•
Select
Drop and Generate Events
to generate an event and drop the packet that triggered the event in
inline deployments or generate an event in passive deployments.
•
Select
Disabled
to take no action.
Step 11
In the
Timeout
field, type the number of seconds you want the new action to remain in effect. After the
timeout occurs, the rule reverts to its original state. Specify
0
or leave the
Timeout
field blank to prevent
the new action from timing out.
Step 12
Click
OK
.
The system adds the dynamic rule state and displays a dynamic state icon (
) next to the rule in the
Dynamic State column. If you add multiple dynamic rule state filters to a rule, a number over the icon
indicates the number of filters.
indicates the number of filters.
If any required fields are left blank, you receive an error message indicating which fields you must fill.
Tip
To delete all dynamic rule settings for a set of rules, select the rules on the Rules page, then select
Dynamic State > Remove Rate-Based States
. You can also delete individual rate-based rule state filters from
the rule details for the rule by selecting the rule, clicking
Show details
, then clicking
Delete
by the
rate-based filter you want to remove.
Step 13
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Adding Alerts
License:
Protection
If you configure SNMP alerting for your FireSIGHT System, you can add an alert to specific rules in
your intrusion policy. For more information, see
your intrusion policy. For more information, see
Adding SNMP Alerts
License:
Protection
If you configure an SNMP alert for your FireSIGHT System, you can configure rules within an intrusion
policy to use that alert when traffic matches the rule and an event is generated.
policy to use that alert when traffic matches the rule and an event is generated.