Configuring Inline Normalization
|
This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors. |
Before you begin
-
If you want to normalize or drop offending packets, enable Inline Mode as described in Preprocessor Traffic Modification in Inline Deployments. The managed device must also be deployed inline.
Procedure
| 1 |
Choose , and then click Network Analysis Policy or , and then click Network Analysis Policies.
|
||
| 2 |
Click Snort 2 Version next to the policy you want to edit. |
||
| 3 |
Click Edit ( If View ( |
||
| 4 |
Click Settings in the navigation panel (NOT the caret; click the word). |
||
| 5 |
If Inline Normalization under Transport/Network Layer Preprocessors is disabled, click Enabled. |
||
| 6 |
Click Edit ( |
||
| 7 |
Set the options described in The Inline Normalization Preprocessor. |
||
| 8 |
To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes. If you leave the policy without committing changes, cached changes since the last commit are discarded if you edit a different policy. |
) next to the policy you want to edit. 
) appears instead, the configuration belongs to an ancestor
domain, or you do not have permission to modify the
configuration.What to do next
-
If you want the inline normalization Minimum TTL option to generate intrusion events, enable either or both packet decoder rules 116:429 (IPv4) and 116:270 (IPv6). For more information, see Setting Intrusion Rule States, and Inline Normalization Options.
-
Deploy configuration changes.