Changing the Time-To-Live for Local Signature Rules

You can change the default behavior and time-to-live (TTL) value for locally generated signature rules.

The default behavior for local generated signature rules is:

  • If the rule receives no hit within 24 hours from the time it was generated, then the rule expires after 24 hours.
  • If the rule receives a hit within 24 hours, then its TTL is extended for another 24 hours.

This functionality applies to only local feed FireEye appliances. A local feed is a system-generated feed that is managed by the CM Series appliance and not a third-party feed or a DTI cloud feed.

The CM Series appliance controls the TTL settings for managed appliances.

The standalone appliance controls the TTL value for local signature rules.

To automatically extend local signature rules:

  1. Go to CLI configuration mode.
    2. hostname > enable
    hostname # configure terminal
  2. Configure the local signature TTL rule to automatically extend for local signature rules.
    3. hostname (config) # localsig ttl auto-extend enable
  3. Save your changes.
    4. hostname (config)# write memory

To change the TTL value for local signature rules:

  1. Go to CLI configuration mode.
    2. hostname > enable
    hostname # configure terminal
  1. Change the local signature TTL rule value to 100 hours.
  2. hostname (config) # localsig ttl hours 100
  3. Save your changes.
    4. hostname (config)# write memory