Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1652
Using the Sourcefire 3D System as a Compliance Tool
Working with White List Violations
Chapter 37
Understanding the White List Violations Table
L
ICENSE
: FireSIGHT
You can use the correlation policy feature to build correlation policies that let the
system respond in real time to threats on your network. Correlation policies
describe the type of activity that constitutes a policy violation, which include
compliance white list violations. For more information on correlation policies, see
When a compliance white list is violated, the system records the violation. Note
that you can not set event time constraints in the table view because the table
view displays only the current host violations on your network. The fields in the
white list violations table are described in the
Compliance White List Violation Fields
F
IELD
D
ESCRIPTION
Time
The date and time that the white list violation was detected.
IP Address
The relevant IP address of the non-compliant host.
Type
The type of white list violation, that is, whether the violation
occurred as a result of a non-compliant:
• operating system (os)
• operating system (os)
• application protocol (server)
• client (client )
• protocol (protocol)
• web application (web)
Information
Any available vendor, product, or version information associated
with the white list violation.
For example, if you have a white list that allows only Microsoft
For example, if you have a white list that allows only Microsoft
Windows hosts, the Information field describes the operating
systems of the hosts that are not running Microsoft Windows.
For protocols that violate a white list, the Information field also
For protocols that violate a white list, the Information field also
indicates whether the violation is due to a network or transport
protocol.
Port
The port, if any, associated with the event that triggered an
application protocol white list violation (a violation that occurred
as a result of a non-compliant application protocol). For other
types of white list violations, this field is blank.
Protocol
The protocol, if any, associated with the event that triggered an
application protocol white list violation (a violation that occurred
as a result of a non-compliant application protocol). For other
types of white list violations, this field is blank.