Globally Limiting Intrusion Event Logging

Similar documents
SCADA Preprocessors. Introduction to SCADA Preprocessors. The Modbus Preprocessor

Detecting Specific Threats

Sensitive Data Detection

Getting Started with Network Analysis Policies

Intrusion Prevention Performance Tuning

About Advanced Access Control Settings for Network Analysis and Intrusion Policies

The following topics describe how to configure correlation policies and rules.

External Alerting for Intrusion Events

Application Layer Preprocessors

Connection Logging. Introduction to Connection Logging

The Intrusion Rules Editor

Connection Logging. About Connection Logging

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

The Intrusion Rules Editor

The Intrusion Rules Editor

Getting Started with Access Control Policies

Start Creating SSL Policies

IPS Device Deployments and Configuration

Access Control Using Intrusion and File Policies

Access Control Using Intrusion and File Policies

The following topics describe how to manage various policies on the Firepower Management Center:

Access Control Rules: Network-Based

Intelligent Application Bypass

The following topics describe how to configure traffic profiles:

Device Management Basics

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices.

System Software Updates

Configuration Import and Export

Device Management Basics

Configuration Import and Export

Host Identity Sources

Device Management Basics

The following topics describe how to use dashboards in the Firepower System:

Aggregate Interfaces and LACP

Prefiltering and Prefilter Policies

Licensing the Firepower System

Configuring Dashboards

Workflows. Overview: Workflows

Workflows. Overview: Workflows

Workflows. Overview: Workflows. The following topics describe how to use workflows:

Cisco Threat Intelligence Director (TID)

Access Control Using Intelligent Application Bypass

File Policies and AMP for Firepower

File Policies and Advanced Malware Protection

Network Discovery Policies

IBM Proventia Management SiteProtector Policies and Responses Configuration Guide

Searching for Events. Event Searches. The following topics describe how to search for events within a workflow:

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models

Licensing the Firepower System

Access Control Rules: Realms and Users

Monitoring the Device

Company. Business Online Banking Admin - Company. Company - Profile. Company - BAI Settings

Licensing the Firepower System

User Accounts for Management Access

Restoring Files and Folders

Backup and Restore Introduction

Chapter 21 RIP Configuration Guidelines

Configuring Logging for Access Lists

Introduction to Network Discovery and Identity

Mobility Services CAS. wips CHAPTER

Cisco Threat Intelligence Director (TID)

User Identity Sources

Quality of Service (QoS) for Firepower Threat Defense

Smart Call Home Web Application

The following topics describe how to audit activity on your system:

Introduction to Network Discovery and Identity

Configuring Logging for Access Lists

User Identity Sources

Rule Management: Common Characteristics

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Deployment Guide: Routing Mode with No DMZ

Realms and Identity Policies

DHCP and DDNS Services for Threat Defense

The following topics describe how to use backup and restore features in the Firepower System:

Classic Device Management Basics

Configuring Anomaly Detection

Configuring Event Monitoring

Configuring RIP. Information About RIP CHAPTER

Firepower Threat Defense Site-to-site VPNs

Oracle Enterprise Manager. 1 Before You Install. System Monitoring Plug-in for Oracle Unified Directory User's Guide Release 1.0

IP Multicast Optimization: Optimizing PIM Sparse Mode in a Large IP Multicast Deployment

File Reputation Filtering and File Analysis

1 Introduction Requirements Architecture Feature List... 4

Region Configuration. Region Configuration Settings CHAPTER

Configuring OpenFlow 1

Application User Configuration

set active-probe (PfR)

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Monitoring and Analysis

SecBlade Firewall Cards Attack Protection Configuration Example

Working with Reports

Realms and Identity Policies

External Alerting with Alert Responses

CS 356 Operating System Security. Fall 2013

Configuring Anomaly Detection

Configuring Anomaly Detection

Module 2: AlienVault USM Basic Configuration and Verifying Operations

Managing SonicWall Gateway Anti Virus Service

Realms and Identity Policies

Transcription:

The following topics describe how to globally limit intrusion event logging: Global Rule Thresholding Basics, page 1 Global Rule Thresholding Options, page 2 Configuring Global Thresholds, page 4 Disabling the Global Threshold, page 5 Global Rule Thresholding Basics The global rule threshold sets limits for event logging by an intrusion policy. You can set a global rule threshold across all traffic to limit how often the policy logs events from a specific source or destination and displays those events per specified time period. You can also set thresholds per shared object rule, standard text rule, or preprocessor rule in the policy. When you set a global threshold, that threshold applies for each rule in the policy that does not have an overriding specific threshold. Thresholds can prevent you from being overwhelmed with a large number of events. Every intrusion policy contains a default global rule threshold that applies by default to all intrusion rules and preprocessor rules. This default threshold limits the number of events on traffic going to a destination to one event per 60 seconds. You can: Change the global threshold. Disable the global threshold. Override the global threshold by setting individual thresholds for specific rules. For example, you might set a global limit threshold of five events every 60 seconds, but then set a specific threshold of ten events for every 60 seconds for SID 1315. All other rules generate no more than five events in each 60-second period, but the system generates up to ten events for each 60-second period for SID 1315. 1

Global Rule Thresholding Options Tip A global or individual threshold on a managed device with multiple CPUs may result in a higher number of events than expected. The following diagram demonstrates how the global rule thresholding works. In this example, an attack is in progress for a specific rule. The global limit threshold is set to limit event generation for each rule to two events every 20 seconds. Note that the period starts at one second and ends at 21 seconds. After the period ends, the cycle starts again and the next two rule matches generate events, then the system does not generate any more events during that period. Global Rule Thresholding Options Table 1: Thresholding Types The default threshold limits event generation for each rule to one event every 60 seconds on traffic going to the same destination. The default values for the global rule thresholding options are: Type Limit Track By Destination Count 1 Seconds 60 You can modify these default values as follows: Option Limit Description Logs and displays events for the specified number of packets (specified by the count argument) that trigger the rule during the specified time period. For example, if you set the type to Limit, the Count to 10, and the Seconds to 60, and 14 packets trigger the rule, the system stops logging events for the rule after displaying the first 10 that occur within the same minute. 2

Global Rule Thresholding Options Option Threshold Both Description Logs and displays a single event when the specified number of packets (specified by the count argument) trigger the rule during the specified time period. Note that the counter for the time restarts after you hit the threshold count of events and the system logs that event. For example, you set the type to Threshold, Count to 10, and Seconds to 60, and the rule triggers 10 times by second 33. The system generates one event, then resets the Seconds and Count counters to 0. The rule then triggers another 10 times in the next 25 seconds. Because the counters reset to 0 at second 33, the system logs another event. Logs and displays an event once per specified time period, after the specified number (count) of packets trigger the rule. For example, if you set the type to Both, Count to 2, and Seconds to 10, the following event counts result: If the rule is triggered once in 10 seconds, the system does not generate any events (the threshold is not met) If the rule is triggered twice in 10 seconds, the system generates one event (the threshold is met when the rule triggers the second time) If the rule is triggered four times in 10 seconds, the system generates one event (the threshold is met when the rule triggered the second time and following events are ignored) Table 2: Thresholding Instance/Time Options The Track By option determines whether the event instance count is calculated per source or destination IP address. You can also specify the number of instances and time period that define the threshold, as follows: Option Count Seconds Description For a Limit threshold, the number of event instances per specified time period per tracking IP address or address range required to meet the threshold. For a Threshold threshold, the number of rule matches you want to use as your threshold. For a Limit threshold, the number of seconds that make up the time period when attacks are tracked. For a Threshold threshold, the number of seconds that elapse before the count resets. If you set the threshold type to Limit, the tracking to Source, Count to 10, and Seconds to 10, the system logs and displays the first 10 events that occur in 10 seconds from a given source port. If only seven events occur in the first 10 seconds, the system logs and displays those, if 40 events occur in the first 10 seconds, the system logs and displays 10, then begins counting again when the 10-second time period elapses. Related Topics Configuring Global Thresholds, on page 4 Intrusion Event Thresholds 3

Configuring Global Thresholds Configuring Global Thresholds Smart License Classic License Supported Devices Supported Domains Access Threat Protection Admin/Intrusion Admin In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Choose Policies > Access Control > Intrusion. Click the edit icon ( ) next to the policy you want to edit. If a view icon ( ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. Click Advanced Settings in the navigation panel. If Global Rule Thresholding under Intrusion Rule Thresholds is disabled, click Enabled. Click the edit icon ( ) next to Global Rule Thresholding. Using the Type radio buttons, specify the type of threshold that will apply over the time you specify in the Seconds field. Using the Track By radio buttons, specify the tracking method. Enter a value in the Count field. Enter a value in the Seconds field. To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes. If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy. What to Do Next Deploy configuration changes; see Deploy Configuration Changes. Related Topics Global Rule Thresholding Options, on page 2 Configuring Intrusion Rules in Layers Conflicts and Changes: Network Analysis and Intrusion Policies 4

Disabling the Global Threshold Disabling the Global Threshold Smart License Classic License Supported Devices Supported Domains Access Threat Protection Admin/Intrusion Admin You can disable global thresholding in the highest policy layer if you want to threshold events for specific rules rather than applying thresholding to every rule by default. In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Choose Policies > Access Control > Intrusion Click the edit icon ( ) next to the policy you want to edit. If a view icon ( ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. Click Advanced Settings in the navigation panel. Next to Global Rule Thresholding under Intrusion Rule Thresholds, click Disabled. To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes. If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy. What to Do Next Deploy configuration changes; see Deploy Configuration Changes. Related Topics Conflicts and Changes: Network Analysis and Intrusion Policies Configuring Intrusion Rules in Layers 5

Disabling the Global Threshold 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback