cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
535
Views
0
Helpful
1
Replies

Rule Updates Sourcefire Management Centres v5.3

Hi,

I have noticed that after a rule update, rules in "Drop and Generate Events" mode are added to the Base Intrusion Policy. In the case of an inline deployment this is not desired, thus tuning is required every time. Why does this happen? Is there any way to avoid it? 

In other words, it would be much more 'safer' if the added rules would be in 'Generate Events' mode only.

Thank you in advance for your time. 

 

Angeliki

Everyone's tags (4)
1 REPLY
Highlighted
Cisco Employee

Re: Rule Updates Sourcefire Management Centres v5.3

Hi

 

The basic idea here is that the rule update changes the default policies. Be it balance security and connectivity or connectivity and security and so on.

Cisco release rule updates with revisions of most common signatures which should always be in drop and generate and some in generate events while also some rules without any action depending upon the base policy.

If you are using balance security and connectivity, that would be most safe (and recommended) base policy. To answer your question, no rule update installation does apply on base policy which affects custom policy as well.

 

Hope it helps,

Yogesh

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions