Setting a Dynamic Rule State from the Rule Details Page

You can set one or more dynamic rule states for a rule. The first dynamic rule state listed has the highest priority. When two dynamic rule states conflict, the action of the first is carried out.

Dynamic rule states are policy-specific.

Note that a Revert appears in a field when you enter an invalid value; click it to revert to the last valid value for that field or to clear the field if there was no previous value.

Procedure

Step 1

From an intrusion rule’s details, click Add next to Dynamic State.

Step 2

From the Track By drop-down list, choose an option to indicate how you want the rule matches tracked:

Choose Source to track the number of hits for that rule from a specific source or set of sources.
Choose Destination to track the number of hits for that rule to a specific destination or set of destinations.
Choose Rule to track all matches for that rule.

Step 3

If you set Track By to Source or Destination, enter the IP address of each host you want to track in the Network field.

Step 4

Next to Rate, specify the number of rule matches per time period to set the attack rate:

In the Count field, specify the number of rule matches you want to use as your threshold.
In the Seconds field, specify the number of seconds that make up the time period for which attacks are tracked.

Step 5

From the New State drop-down list, choose the new action to be taken when the conditions are met.

Step 6

Enter a value in the Timeout field.

After the timeout occurs, the rule reverts to its original state. Enter 0 to prevent the new action from timing out.

Step 7

Click OK.

Tip	The system displays a dynamic state () next to the rule in the Dynamic State column. If you add multiple dynamic rule state filters to a rule, a number over the filters indicates the number of filters.