Intrusion Rule State Options
In an intrusion policy, you can set a rule’s state to the following values:
- Generate Events
-
You want the system to detect a specific intrusion attempt and generate an intrusion event when it finds matching traffic. When a malicious packet crosses your network and triggers the rule, the packet is sent to its destination and the system generates an intrusion event. The malicious packet reaches its target, but you are notified via the event logging.
- Drop and Generate Events
-
You want the system to detect a specific intrusion attempt, drop the packet containing the attack, and generate an intrusion event when it finds matching traffic. The malicious packet never reaches its target, and you are notified via the event logging.
Note that rules set to this rule state generate events but do not drop packets in a passive deployment. For the system to drop packets, Drop when Inline must also be enabled (the default setting) in your intrusion policy and you must deploy your device inline.
- Disable
-
You do not want the system to evaluate matching traffic.
Note | Choosing either the Generate Events or Drop and Generate Events options enables the rule. Choosing Disable disables the rule. Cisco strongly recommends that you do not enable all the intrusion rules in an intrusion policy. The performance of your managed device is likely to degrade if all rules are enabled. Instead, tune your rule set to match your network environment as closely as possible. |