Setting a Threshold for an Intrusion Rule

You can set a single threshold for a rule from the Rule Detail page. Adding a threshold overwrites any existing threshold for the rule.

Note that a Revert appears in a field when you enter an invalid value; click it to revert to the last valid value for that field or to clear the field if there was no previous value.

Procedure

Step 1

From an intrusion rule’s details, click Add next to Thresholds.

Step 2

From the Type drop-down list, choose the type of threshold you want to set:

Choose Limit to limit notification to the specified number of event instances per time period.
Choose Threshold to provide notification for each specified number of event instances per time period.
Choose Both to provide notification once per time period after a specified number of event instances.

Step 3

From the Track By drop-down list, choose Source or Destination to indicate whether you want the event instances tracked by source or destination IP address.

Step 4

In the Count field, enter the number of event instances you want to use as your threshold.

Step 5

In the Seconds field, enter a number that specifies the time period, in seconds, for which event instances are tracked.

Step 6

Click OK.

Tip	The system displays an Event Filter next to the rule in the Event Filtering column. If you add multiple event filters to a rule, the system includes an indication of the number of event filters.