Adding and Modifying Intrusion Event Thresholds
You can set a threshold for one or more specific rules in an intrusion policy. You can also separately or simultaneously modify existing threshold settings. You can set a single threshold for each. Adding a threshold overwrites any existing threshold for the rule.
You can also modify the global threshold that applies by default to all rules and preprocessor-generated events associated with the intrusion policy.
A Revert appears in a field when you enter an invalid value; click it to revert to the last valid value for that field or to clear the field if there was no previous value.
Tip | A global or individual threshold on a managed device with multiple CPUs may result in a higher number of events than expected. |
Procedure
Step 1 | Choose . | ||
Step 2 | Click Snort 2 Version next to the policy you want to edit. If View ( | ||
Step 3 | Click Rules immediately under Policy Information in the navigation pane. | ||
Step 4 | Choose the rule or rules where you want to set a threshold. | ||
Step 5 | Choose . | ||
Step 6 | Choose a threshold type from the Type drop-down list. | ||
Step 7 | From the Track By drop-down list, choose whether you want the event instances tracked by Source or Destination IP address. | ||
Step 8 | Enter a value in the Count field. | ||
Step 9 | Enter a value in the Seconds field. | ||
Step 10 | Click OK.
| ||
Step 11 | To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes. If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy. |
)What to do next
-
Deploy configuration changes.