Setting a Rule Filter in an Intrusion Policy

You can filter the rules on the Rules page to display a subset of rules. You can then use any of the page features, including choosing any of the features available in the context menu. This can be useful, for example, when you want to set a threshold for all the rules in a specific category. You can use the same features with rules in a filtered or unfiltered list. For example, you can apply new rule states to rules in a filtered or unfiltered list.

All filter keywords, keyword arguments, and character strings are case-insensitive. If you click an argument for a keyword already in the filter, it replaces the existing argument.

Procedure

Step 1

Choose Policies > Access Control > Intrusion.

Step 2

Click Snort 2 Version next to the policy you want to edit.

If View ( View button ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 3

Construct a filter using any of the following methods, separately or in combination:

Enter a value in the Filter text box, and press Enter.
Expand any of the predefined keywords. For example, click Rule Configuration.
Click a keyword, and specify an argument value if prompted. For example:
- Under Rule Configuration, you could click Rule State, choose Generate Events from the drop-down-list, and click OK.
- Under Rule Configuration, you could click Comment, enter the string of comment text to filter by, and click OK.
- Under Category, you could click app-detect, which the system uses as the argument value.
Expand a keyword, and click an argument value. For example, expand Rule State and click Generate Events.