Cisco Cisco Firepower Management Center 4000 Manual

Page of 1844
 
Cisco Systems, Inc.
 
FireSIGHT System User Guide
Version 5.3.1
 
September 12, 2014
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO 
CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS 
MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, 
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY 
PRODUCTS.
 

Summary of Contents of manual for Cisco Cisco Firepower Management Center 4000

  • Page 1FireSIGHT System User Guide Version 5.3.1 September 12, 2014 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE...
  • Page 2THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH...
  • Page 3 CONTENTS CHAPTER 1 Introduction 1-1 FireSIGHT System Appliances 1-2 Series 2 Appliances 1-3 Series 3 Appliances 1-4 Virtual Appliances...
  • Page 4 Contents CHAPTER 3 Using Dashboards 3-1 Understanding Dashboard Widgets 3-4 Understanding Widget Availability 3-4 Understanding Widget Preferences 3-6 Understanding...
  • Page 5 Contents Setting the Context Explorer Time Range 4-33 Minimizing and Maximizing Context Explorer Sections 4-33 Drilling Down on Context...
  • Page 6 Contents Working with Security Zones 5-37 Working with Geolocation Objects 5-38 CHAPTER 6 Managing Devices 6-1 Management Concepts 6-2...
  • Page 7 Contents Switching the Active Peer in a Cluster 6-35 Placing a Clustered Device into Maintenance Mode 6-36 Replacing a...
  • Page 8 Contents Configuring Sourcefire Software for X-Series Interfaces 7-10 CHAPTER 8 Setting Up Virtual Switches 8-1 Configuring Switched Interfaces 8-1...
  • Page 9 Contents Understanding VPN Deployments 11-2 Understanding Point-to-Point VPN Deployments 11-2 Understanding Star VPN Deployments 11-3 Understanding Mesh VPN Deployments...
  • Page 10 Contents CHAPTER 13 Using Access Control Policies 13-1 Configuring Policies 13-3 Setting the Default Action 13-4 Logging Connections for...
  • Page 11 Contents Adding URL Conditions 14-27 Performing File and Intrusion Inspection on Allowed Traffic 14-31 Logging Connection, File, and Malware...
  • Page 12 Contents Searching for Connection and Security Intelligence Data 16-28 Viewing the Connection Summary Page 16-31 CHAPTER 17 Introduction to...
  • Page 13 Contents Deleting Events from the Clipboard 18-42 CHAPTER 19 Handling Incidents 19-1 Incident Handling Basics 19-1 Definition of an...
  • Page 14 Contents Setting Rule States 21-20 Filtering Intrusion Event Notification Per Policy 21-22 Configuring Event Thresholding 21-22 Configuring Suppression Per...
  • Page 15 Contents Understanding Rule Latency Thresholding 24-5 Setting Rule Latency Thresholding Options 24-7 Configuring Rule Latency Thresholding 24-8 Performance Statistics...
  • Page 16 Contents Selecting SIP Preprocessor Options 25-47 Configuring the SIP Preprocessor 25-49 Enabling Additional SIP Preprocessor Rules 25-50 Configuring the...
  • Page 17 Contents Understanding Packet Decoding 26-15 Configuring Packet Decoding 26-18 Using TCP Stream Preprocessing 26-19 Understanding State-Related TCP Exploits 26-20...
  • Page 18 Contents Searching for White List Violations 27-36 CHAPTER 28 Detecting Specific Threats 28-1 Detecting Back Orifice 28-1 Detecting Portscans...
  • Page 19 Contents Understanding Email Alerting 31-6 Configuring Email Alerting 31-8 CHAPTER 32 Understanding and Writing Intrusion Rules 32-1 Understanding Rule...
  • Page 20 Contents Deleting Custom Rules 32-102 Searching for Rules 32-103 Filtering Rules on the Rule Editor Page 32-105 Using Keywords...
  • Page 21 Contents Searching for Malware Events 34-21 Working with Captured Files 34-23 Viewing Captured Files 34-24 Understanding the Captured Files...
  • Page 22 Contents Working with the Mobile Devices Network Map 36-5 Working with the Applications Network Map 36-6 Working with the...
  • Page 23 Contents Setting the Vulnerability Impact Qualification 37-27 Downloading Patches for Vulnerabilities 37-28 Setting Vulnerabilities for Individual Hosts 37-29 Working...
  • Page 24 Contents Viewing Indications of Compromise 38-31 Understanding the Indications of Compromise Table 38-31 Searching for Indications of Compromise 38-32...
  • Page 25 Contents Constraining Correlation Rules Using Connection Data Over Time 39-20 Adding a User Qualification 39-30 Adding Snooze and Inactive...
  • Page 26 Contents Adding and Linking Conditions 40-13 Using Multiple Values in a Condition 40-16 Viewing Traffic Profiles 40-16 CHAPTER 41...
  • Page 27 Contents Importing Host Input Data 42-29 Enabling the Use of Third-Party Data 42-30 Managing Third-Party Product Mappings 42-30 Mapping...
  • Page 28 Contents Creating Report Templates from Existing Templates 44-9 Creating New Report Templates 44-12 Editing the Sections of a Report...
  • Page 29 Contents CHAPTER 47 Understanding and Using Workflows 47-1 Components of a Workflow 47-1 Comparing Predefined and Custom Workflows 47-3...
  • Page 30 Contents Viewing Custom Workflows 47-42 Editing Custom Workflows 47-43 Deleting Custom Workflows 47-44 CHAPTER 48 Managing Users 48-1 Understanding...
  • Page 31 Contents CHAPTER 49 Scheduling Tasks 49-1 Configuring a Recurring Task 49-2 Automating Backup Jobs 49-3 Automating Certificate Revocation List...
  • Page 32 Contents Configuring Authentication Profiles 50-11 Configuring Dashboard Settings 50-13 Configuring Database Event Limits 50-14 Configuring DNS Cache Properties 50-16...
  • Page 33 Contents CHAPTER 52 Licensing the FireSIGHT System 52-1 Understanding Licensing 52-1 License Types and Restrictions 52-2 Licensing High Availability...
  • Page 34 Contents CHAPTER 55 Using Health Monitoring 55-1 Understanding Health Monitoring 55-1 Understanding Health Policies 55-3 Understanding Health Modules 55-3...
  • Page 35 Contents Suppressing Audit Records 56-4 Understanding the Audit Log Table 56-7 Using the Audit Log to Examine Changes 56-7...
  • Page 36 Contents APPENDIX D Command Line Reference D-1 Basic CLI Commands D-2 configure password D-2 end D-2 exit D-3 help...
  • Page 37 Contents mpls-depth D-16 NAT D-16 netstat D-18 network D-18 network-modules D-19 ntp D-19 perfstats D-19 portstats D-20 power-supply-status D-20...
  • Page 38 Contents generate-troubleshoot D-39 ldapsearch D-40 lockdown-sensor D-40 nat rollback D-40 reboot D-41 restart D-41 shutdown D-41 APPENDIX E Security,...
  • Page 39: Introduction CH A P T E R 1 Introduction The Cisco FireSIGHT® System combines the security of an industry-leading network...
  • Page 40 Chapter 1 Introduction FireSIGHT System Appliances FireSIGHT System Appliances A FireSIGHT System appliance is either a traffic-sensing managed device...
  • Page 41 Chapter 1 Introduction FireSIGHT System Appliances You can also deploy the following software-based appliances: • You can deploy 64-bit virtual...
  • Page 42 Chapter 1 Introduction FireSIGHT System Appliances Series 3 Appliances Series 3 is the third series of Cisco FirePOWER physical...
  • Page 43 Chapter 1 Introduction FireSIGHT System Appliances Cisco ASA with FirePOWER Services You can manage Cisco ASA with FirePOWER Services (ASA...
  • Page 44 Chapter 1 Introduction FireSIGHT System Appliances Table 1-1 Version 5.3.1 FireSIGHT System Appliances (continued) Models/Family Series Form Type Series...
  • Page 45 Chapter 1 Introduction FireSIGHT System Appliances Table 1-2 Supported Capabilities by Defense Center Model Series 2 Series 3 Virtual...
  • Page 46 Chapter 1 Introduction FireSIGHT System Appliances Table 1-2 Supported Capabilities by Defense Center Model (continued) Series 2 Series 3...
  • Page 47 Chapter 1 Introduction FireSIGHT System Components Table 1-3 Supported Capabilities by Managed Device Model (continued) Series 2 Series 3...
  • Page 48 Chapter 1 Introduction FireSIGHT System Components Redundancy and Resource Sharing The redundancy and resource-sharing features of the FireSIGHT System...
  • Page 49 Chapter 1 Introduction FireSIGHT System Components Routing You can configure the FireSIGHT System in a Layer 3 deployment so that...
  • Page 50 Chapter 1 Introduction FireSIGHT System Components You can include access control rules in an access control policy to further...
  • Page 51 Chapter 1 Introduction FireSIGHT System Components Regardless of whether you store a detected file, you can submit it to the...
  • Page 52 Chapter 1 Introduction Documentation Resources eStreamer integration requires custom programming, but allows you to request specific data from an...
  • Page 53 Chapter 1 Introduction Documentation Conventions • the FireSIGHT System Virtual Installation Guide, which includes information about installing, managing, and troubleshooting...
  • Page 54 Chapter 1 Introduction Documentation Conventions Malware A Malware license allows managed devices to perform network-based advanced malware protection (AMP),...
  • Page 55Chapter 1 Introduction IP Address Conventions Table 1-4 Access Conventions (continued) Access Term Indicates Any Security Analyst User can have...
  • Page 56 Chapter 1 Introduction IP Address Conventions FireSIGHT System User Guide 1-18
  • Page 57: Logging into the FireSIGHT System CH A P T E R 2 Logging into the FireSIGHT System This chapter details the steps you must...
  • Page 58 Chapter 2 Logging into the FireSIGHT System Logging into the Appliance Note Because FirePOWER appliances audit user activity based...
  • Page 59Chapter 2 Logging into the FireSIGHT System Logging into the Appliance to Set Up an Account The menus and menu...
  • Page 60 Chapter 2 Logging into the FireSIGHT System Logging Out of the Appliance Shell users can log in using user...
  • Page 61Chapter 2 Logging into the FireSIGHT System Using the Context Menu When you are no longer actively using the web...
  • Page 62 Chapter 2 Logging into the FireSIGHT System Using the Context Menu Event Viewer Event pages (drill-down pages and table...
  • Page 63: Using Dashboards CH A P T E R 3 Using Dashboards The FireSIGHT System dashboard provides you with at-a-glance views of...
  • Page 64 Chapter 3 Using Dashboards Note that the data displayed depends on such factors as how you license and deploy...
  • Page 65Chapter 3 Using Dashboards You can use the predefined dashboards, modify the predefined dashboards, or create a custom dashboard to...
  • Page 66 Chapter 3 Using Dashboards Understanding Dashboard Widgets • Understanding the Predefined Widgets, page 3-7 • Working with Dashboards, page...
  • Page 67Chapter 3 Using Dashboards Understanding Dashboard Widgets For example, the Current Sessions widget is available on all appliances, but only...
  • Page 68 Chapter 3 Using Dashboards Understanding Dashboard Widgets The following table lists the user account privileges required to view each...
  • Page 69 Chapter 3 Using Dashboards Understanding the Predefined Widgets Step 2 Make changes as needed. Your changes take effect immediately. For...
  • Page 70 Chapter 3 Using Dashboards Understanding the Predefined Widgets The Appliance Information widget provides a snapshot of the appliance. It...
  • Page 71 Chapter 3 Using Dashboards Understanding the Predefined Widgets You can configure the widget to display appliance status as a pie...
  • Page 72 Chapter 3 Using Dashboards Understanding the Predefined Widgets Understanding the Current Interface Status Widget License: Any The Current Interface...
  • Page 73 Chapter 3 Using Dashboards Understanding the Predefined Widgets • click the host icon ( ) or compromised host icon (...
  • Page 74 Chapter 3 Using Dashboards Understanding the Predefined Widgets Optionally, you can further constrain the widget using a saved search,...
  • Page 75Chapter 3 Using Dashboards Understanding the Predefined Widgets • The down arrow icon ( ) indicates that the event has...
  • Page 76 Chapter 3 Using Dashboards Understanding the Predefined Widgets From Custom Analysis widgets, you can invoke event views (that is,...
  • Page 77Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-4 Custom Analysis Widget Preferences (continued) Use this preference... To control......
  • Page 78 Chapter 3 Using Dashboards Understanding the Predefined Widgets . Table 3-5 Custom Analysis Widget Presets Preset Description Predefined Dashboards...
  • Page 79 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-5 Custom Analysis Widget Presets (continued) Preset Description Predefined Dashboards...
  • Page 80 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-5 Custom Analysis Widget Presets (continued) Preset Description Predefined Dashboards...
  • Page 81 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-5 Custom Analysis Widget Presets (continued) Preset Description Predefined Dashboards...
  • Page 82 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-5 Custom Analysis Widget Presets (continued) Preset Description Predefined Dashboards...
  • Page 83 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-5 Custom Analysis Widget Presets (continued) Preset Description Predefined Dashboards...
  • Page 84 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-5 Custom Analysis Widget Presets (continued) Preset Description Predefined Dashboards...
  • Page 85 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-5 Custom Analysis Widget Presets (continued) Preset Description Predefined Dashboards...
  • Page 86 Chapter 3 Using Dashboards Understanding the Predefined Widgets For more information on time windows, see Default Time Windows, page...
  • Page 87 Chapter 3 Using Dashboards Understanding the Predefined Widgets Custom Analysis Widget Limitations License: Any There are some important points to...
  • Page 88 Chapter 3 Using Dashboards Understanding the Predefined Widgets Table 3-6 Disk Usage Categories (continued) Disk Usage Category Description Other...
  • Page 89 Chapter 3 Using Dashboards Understanding the Predefined Widgets Understanding the Intrusion Events Widget License: Protection The Intrusion Events widget shows...
  • Page 90 Chapter 3 Using Dashboards Understanding the Predefined Widgets The preferences also control how often the widget updates. For more...
  • Page 91Chapter 3 Using Dashboards Understanding the Predefined Widgets You can also use the widget preferences to specify which of three...
  • Page 92 Chapter 3 Using Dashboards Understanding the Predefined Widgets Understanding the Product Licensing Widget License: Any The Product Licensing widget...
  • Page 93 Chapter 3 Using Dashboards Understanding the Predefined Widgets You can configure the widget to hide the latest versions by modifying...
  • Page 94 Chapter 3 Using Dashboards Understanding the Predefined Widgets Feeds update every 24 hours (although you can manually update the...
  • Page 95 Chapter 3 Using Dashboards Understanding the Predefined Widgets Understanding the System Time Widget License: Any The System Time widget shows...
  • Page 96 Chapter 3 Using Dashboards Working with Dashboards • select one or more Priorities check boxes to display separate graphs...
  • Page 97Chapter 3 Using Dashboards Working with Dashboards the interval you specify and displays your changes without you having to manually...
  • Page 98 Chapter 3 Using Dashboards Working with Dashboards Your dashboard is created and appears in the web interface. You can...
  • Page 99 Chapter 3 Using Dashboards Working with Dashboards more information, see Managing User Login Settings, page 48-45 and Configuring User Interface...
  • Page 100 Chapter 3 Using Dashboards Working with Dashboards Each tab can display one or more widgets in a three-column layout....
  • Page 101 Chapter 3 Using Dashboards Working with Dashboards The dashboard is changed. Adding Tabs License: Any Use the following procedure to...
  • Page 102 Chapter 3 Using Dashboards Working with Dashboards To rename a tab: Access: Admin/Any Security Analyst/Maint Step 1 View the...
  • Page 103 Chapter 3 Using Dashboards Working with Dashboards Step 5 Optionally, when you are finished adding widgets, click Done to return...
  • Page 104 Chapter 3 Using Dashboards Working with Dashboards Step 2 Confirm that you want to delete the widget. The widget...
  • Page 105: Using the Context Explorer CH A P T E R 4 Using the Context Explorer The FireSIGHT System Context Explorer displays detailed, interactive...
  • Page 106 Chapter 4 Using the Context Explorer Understanding the Context Explorer Table 4-1 Comparison: Dashboard and Context Explorer Feature Dashboard...
  • Page 107 Chapter 4 Using the Context Explorer Understanding the Context Explorer • Understanding the Files Information Section, page 4-20 • Understanding...
  • Page 108 Chapter 4 Using the Context Explorer Understanding the Context Explorer This section draws data primarily from the Intrusion Events...
  • Page 109 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 110 Chapter 4 Using the Context Explorer Understanding the Context Explorer Viewing the Operating Systems Graph License: FireSIGHT The Operating...
  • Page 111 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 112 Chapter 4 Using the Context Explorer Understanding the Context Explorer Note If you filter on intrusion event information, the...
  • Page 113 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 114 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 115 Chapter 4 Using the Context Explorer Understanding the Context Explorer To configure the Application Information section focus: Access: Admin/Any Security...
  • Page 116 Chapter 4 Using the Context Explorer Understanding the Context Explorer Tip To constrain the graph so it displays traffic...
  • Page 117 Chapter 4 Using the Context Explorer Understanding the Context Explorer Viewing the Hosts by Risk/Business Relevance and Application Graph License:...
  • Page 118 Chapter 4 Using the Context Explorer Understanding the Context Explorer Understanding the Security Intelligence Section License: Protection Supported Devices:...
  • Page 119 Chapter 4 Using the Context Explorer Understanding the Context Explorer This graph draws data primarily from the Security Intelligence Events...
  • Page 120 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 121 Chapter 4 Using the Context Explorer Understanding the Context Explorer The Intrusion Events by Impact graph, in pie form, displays...
  • Page 122 Chapter 4 Using the Context Explorer Understanding the Context Explorer Viewing the Top Users Graph License: Protection The Top...
  • Page 123 Chapter 4 Using the Context Explorer Understanding the Context Explorer Viewing the Top Targets Graph License: Protection The Top Targets...
  • Page 124 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 125 Chapter 4 Using the Context Explorer Understanding the Context Explorer • Viewing the Top Malware Detections Graph, page 4-25 Viewing...
  • Page 126 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 127 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 128 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 129 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 130 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 131 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 132 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 133 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 134 Chapter 4 Using the Context Explorer Understanding the Context Explorer Viewing the Traffic by URL Graph License: FireSIGHT or...
  • Page 135 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph to...
  • Page 136 Chapter 4 Using the Context Explorer Understanding the Context Explorer Hover your pointer over any part of the graph...
  • Page 137 Chapter 4 Using the Context Explorer Understanding the Context Explorer Setting the Context Explorer Time Range License: FireSIGHT You can...
  • Page 138 Chapter 4 Using the Context Explorer Understanding the Context Explorer Drilling Down on Context Explorer Data License: feature dependent...
  • Page 139 Chapter 4 Using the Context Explorer Working with Filters in the Context Explorer • If you selected a data point...
  • Page 140 Chapter 4 Using the Context Explorer Working with Filters in the Context Explorer • from the Context Explorer icon...
  • Page 141 Chapter 4 Using the Context Explorer Working with Filters in the Context Explorer Table 4-2 Filter Data Types (continued)...
  • Page 142 Chapter 4 Using the Context Explorer Working with Filters in the Context Explorer Because you may want to configure...
  • Page 143 Chapter 4 Using the Context Explorer Working with Filters in the Context Explorer To clear all filters: Access: Admin/Any Security...
  • Page 144 Chapter 4 Using the Context Explorer Working with Filters in the Context Explorer A new window opens with the...
  • Page 145: Managing Reusable Objects CH A P T E R 5 Managing Reusable Objects For increased flexibility and web interface ease-of-use, the FireSIGHT...
  • Page 146 Chapter 5 Managing Reusable Objects Using the Object Manager Create and manage objects, including application filters, variable sets, and...
  • Page 147 Chapter 5 Managing Reusable Objects Working with Network Objects Browsing, Sorting, and Filtering Objects License: Any The object manager displays...
  • Page 148 Chapter 5 Managing Reusable Objects Working with Security Intelligence Lists and Feeds The Network Objects pop-up window appears. Step...
  • Page 149Chapter 5 Managing Reusable Objects Working with Security Intelligence Lists and Feeds A Security Intelligence list, contrasted with a feed,...
  • Page 150 Chapter 5 Managing Reusable Objects Working with Security Intelligence Lists and Feeds Table 5-1 Security Intelligence Object Capabilities Intelligence...
  • Page 151Chapter 5 Managing Reusable Objects Working with Security Intelligence Lists and Feeds also be ignored. If you want to monitor...
  • Page 152 Chapter 5 Managing Reusable Objects Working with Security Intelligence Lists and Feeds Working with the Intelligence Feed License: Protection...
  • Page 153 Chapter 5 Managing Reusable Objects Working with Security Intelligence Lists and Feeds To configure a Security Intelligence feed: Access: Admin/Intrusion...
  • Page 154 Chapter 5 Managing Reusable Objects Working with Security Intelligence Lists and Feeds A Security Intelligence list is a simple...
  • Page 155Chapter 5 Managing Reusable Objects Working with Port Objects Step 2 If you need a copy of the list to...
  • Page 156 Chapter 5 Managing Reusable Objects Working with VLAN Tag Objects Step 3 Click Add Port. The Port Objects pop-up...
  • Page 157Chapter 5 Managing Reusable Objects Working with URL Objects Step 5 In the VLAN Tag field, type a value for...
  • Page 158 Chapter 5 Managing Reusable Objects Working with Application Filters Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER When the...
  • Page 159Chapter 5 Managing Reusable Objects Working with Application Filters Tip Click an information icon ( ) for more information about...
  • Page 160 Chapter 5 Managing Reusable Objects Working with Variable Sets • Use Shift and Ctrl keys to select multiple individual...
  • Page 161 Chapter 5 Managing Reusable Objects Working with Variable Sets • Optimizing Predefined Default Variables, page 5-17 • Understanding Variable...
  • Page 162 Chapter 5 Managing Reusable Objects Working with Variable Sets Table 5-2 Variables Provided by Cisco (continued) Variable Name Description...
  • Page 163 Chapter 5 Managing Reusable Objects Working with Variable Sets Table 5-2 Variables Provided by Cisco (continued) Variable Name Description...
  • Page 164 Chapter 5 Managing Reusable Objects Working with Variable Sets Optionally, you can customize the value of Var1 in any...
  • Page 165 Chapter 5 Managing Reusable Objects Working with Variable Sets In the next example, you add Var1 with the value...
  • Page 166 Chapter 5 Managing Reusable Objects Working with Variable Sets Table 5-3 Variable Set Management Actions (continued) To... You can......
  • Page 167 Chapter 5 Managing Reusable Objects Working with Variable Sets You can add and delete your own variables, customize their...
  • Page 168 Chapter 5 Managing Reusable Objects Working with Variable Sets The new or edit variable set page appears. Step 4...
  • Page 169 Chapter 5 Managing Reusable Objects Working with Variable Sets When you specify whether you want to add a network...
  • Page 170 Chapter 5 Managing Reusable Objects Working with Variable Sets Table 5-5 Variable Edit Actions (continued) To... You can... add...
  • Page 171 Chapter 5 Managing Reusable Objects Working with Variable Sets Step 6 Optionally, move items from the list of available networks...
  • Page 172 Chapter 5 Managing Reusable Objects Working with Variable Sets • dynamic rule states The Network field in source or...
  • Page 173 Chapter 5 Managing Reusable Objects Working with Variable Sets • Excluded values must resolve to a subset of included values....
  • Page 174 Chapter 5 Managing Reusable Objects Working with Variable Sets • Adding ports to the excluded list negates the specified...
  • Page 175 Chapter 5 Managing Reusable Objects Working with Variable Sets When you modify a custom variable set used by an intrusion...
  • Page 176 Chapter 5 Managing Reusable Objects Working with File Lists Working with File Lists License: Malware Supported Devices: Series 3,...
  • Page 177 Chapter 5 Managing Reusable Objects Working with File Lists • Uploading an Individual File to a File List, page 5-34...
  • Page 178 Chapter 5 Managing Reusable Objects Working with File Lists Step 3 Click the edit icon ( ) next to...
  • Page 179 Chapter 5 Managing Reusable Objects Working with File Lists Adding a SHA-256 Value to the File List License: Malware Supported...
  • Page 180 Chapter 5 Managing Reusable Objects Working with File Lists The File List pop-up window appears. Step 2 Next to...
  • Page 181Chapter 5 Managing Reusable Objects Working with Security Zones Working with Security Zones License: Any Supported Devices: Any A security...
  • Page 182 Chapter 5 Managing Reusable Objects Working with Geolocation Objects Step 3 Click Add Security Zone. The Security Zones pop-up...
  • Page 183Chapter 5 Managing Reusable Objects Working with Geolocation Objects The Geolocation Objects page appears. Step 3 Click Add Geolocation. The...
  • Page 184 Chapter 5 Managing Reusable Objects Working with Geolocation Objects FireSIGHT System User Guide 5-40
  • Page 185: Managing Devices CH A P T E R 6 Managing Devices The Defense Center is a key component in the FireSIGHT...
  • Page 186 Chapter 6 Managing Devices Management Concepts • Configuring Sensing Interfaces, page 6-59 explains how to configure interfaces on your...
  • Page 187 Chapter 6 Managing Devices Working in NAT Environments Beyond Policies and Events License: Any In addition to applying policies to...
  • Page 188 Chapter 6 Managing Devices Configuring High Availability The following diagram shows a Defense Center managing two devices in a...
  • Page 189 Chapter 6 Managing Devices Configuring High Availability • Monitoring and Changing High Availability Status, page 6-15 explains how to check...
  • Page 190 Chapter 6 Managing Devices Configuring High Availability To ensure continuity of operations, both Defense Centers in a high availability...
  • Page 191 Chapter 6 Managing Devices Configuring High Availability • change reconciliation snapshots and report settings • intrusion rule, geolocation database (GeoDB),...
  • Page 192 Chapter 6 Managing Devices Configuring High Availability Licenses License: Any Supported Defense Centers: DC1000, DC1500, DC3000, DC3500 Defense Centers...
  • Page 193 Chapter 6 Managing Devices Configuring High Availability Primary and Secondary Defense Center Requirements You must designate one Defense Center as...
  • Page 194 Chapter 6 Managing Devices Configuring High Availability If one of the Defense Centers in the high availability pair must...
  • Page 195 Chapter 6 Managing Devices Configuring High Availability Step 15 If you used a unique NAT ID on the secondary Defense...
  • Page 196 Chapter 6 Managing Devices Configuring High Availability • the software version • the operating system • the length of...
  • Page 197 Chapter 6 Managing Devices Configuring High Availability Step 3 Click High Availability. The High Availability page appears. Step 4 Select...
  • Page 198 Chapter 6 Managing Devices Working with Devices Step 1 Click Peer Manager. The Peer Manager page appears. Step 2...
  • Page 199 Chapter 6 Managing Devices Working with Devices • System Policy; see Managing System Policies, page 50-1 for more information •...
  • Page 200 Chapter 6 Managing Devices Working with Devices You can select an access control policy to apply to a device...
  • Page 201 Chapter 6 Managing Devices Working with Devices Step 5 In the Registration Key field, type the same registration key that...
  • Page 202 Chapter 6 Managing Devices Working with Devices Note that if you edit interfaces and reapply a device policy, Snort...
  • Page 203 Chapter 6 Managing Devices Configuring Remote Management Step 4 Click Previous and Next to scroll through the differences between the...
  • Page 204 Chapter 6 Managing Devices Configuring Remote Management To enable communications between two appliances, you must provide a way for...
  • Page 205 Chapter 6 Managing Devices Configuring Remote Management Step 5 For NAT environments, in the Unique NAT ID field, type a...
  • Page 206 Chapter 6 Managing Devices Managing Device Groups Changing the Management Port License: Any FireSIGHT System appliances communicate using a...
  • Page 207 Chapter 6 Managing Devices Managing Device Groups The following procedure explains how to add a device group so you can...
  • Page 208 Chapter 6 Managing Devices Clustering Devices Step 7 Click OK. The changes to the device group are saved. Deleting...
  • Page 209Chapter 6 Managing Devices Clustering Devices Caution Do not attempt to install a hard drive that was not supplied by...
  • Page 210 Chapter 6 Managing Devices Clustering Devices Inline Deployment Redundancy Because an inline set has no control over the routing...
  • Page 211 Chapter 6 Managing Devices Clustering Devices Establishing Device Clusters License: Control Supported Devices: Series 3 Before you establish a device...
  • Page 212 Chapter 6 Managing Devices Clustering Devices After you establish a device cluster, you can configure a high availability link...
  • Page 213 Chapter 6 Managing Devices Clustering Devices Step 3 Use the sections on the Cluster page to make changes to the...
  • Page 214 Chapter 6 Managing Devices Clustering Devices Step 1 Select Devices > Device Management. The Device Management page appears. Step...
  • Page 215 Chapter 6 Managing Devices Clustering Devices Step 5 Configure interfaces as you would on an individual device. See Configuring Sensing...
  • Page 216 Chapter 6 Managing Devices Clustering Devices Step 3 Click Yes to confirm maintenance mode or click No to cancel....
  • Page 217Chapter 6 Managing Devices Clustering Devices • Blocking persistence Note, however, that enabling state sharing slows system performance. You must...
  • Page 218 Chapter 6 Managing Devices Clustering Devices Note Cisco recommends that you use the default values, unless your deployment presents...
  • Page 219Chapter 6 Managing Devices Clustering Devices For troubleshooting, you should view both the messages received and the messages sent, compare...
  • Page 220 Chapter 6 Managing Devices Clustering Devices Contact Support if the messages sent increment at a similar rate to the...
  • Page 221 Chapter 6 Managing Devices Managing Stacked Devices The Cluster page for the device cluster appears. Step 3 In the State...
  • Page 222 Chapter 6 Managing Devices Managing Stacked Devices For Series 2 and the 81xx Family: • two 3D8140s • two...
  • Page 223 Chapter 6 Managing Devices Managing Stacked Devices If a secondary device fails, the primary device continues to sense traffic, generate...
  • Page 224 Chapter 6 Managing Devices Managing Stacked Devices • add secondary devices to an existing stack of two or three...
  • Page 225 Chapter 6 Managing Devices Managing Stacked Devices Editing Device Stacks License: Any Supported Devices: 3D8140, 3D8200 family, 3D8300 family, 3D9900...
  • Page 226 Chapter 6 Managing Devices Managing Stacked Devices Step 1 Select Devices > Device Management. The Device Management page appears....
  • Page 227 Chapter 6 Managing Devices Editing Device Configuration If you no longer need to use a stacked configuration for your devices,...
  • Page 228 Chapter 6 Managing Devices Editing Device Configuration Step 1 Select Devices > Device Management. The Device Management page appears....
  • Page 229 Chapter 6 Managing Devices Editing Device Configuration Step 1 Select Devices > Device Management. The Device Management page appears. Step...
  • Page 230 Chapter 6 Managing Devices Editing Device Configuration To shut down and restart a managed device: Access: Admin/Network Admin Step...
  • Page 231Chapter 6 Managing Devices Editing Device Configuration Table 6-3 Management Section Table Fields Field Description Host The current management hostname...
  • Page 232 Chapter 6 Managing Devices Editing Device Configuration Understanding Advanced Device Settings License: Any Supported Devices: feature dependent The Advanced...
  • Page 233 Chapter 6 Managing Devices Editing Device Configuration Typically, you use Rule Latency Thresholding in the intrusion policy to fast-path packets...
  • Page 234 Chapter 6 Managing Devices Editing Device Configuration Step 6 When you select the Automatic Application Bypass option, you can...
  • Page 235Chapter 6 Managing Devices Editing Device Configuration To build or edit IPv4 fast-path rules: Access: Admin/Network Admin Step 1 Select...
  • Page 236 Chapter 6 Managing Devices Editing Device Configuration Adding IPv6 Fast-Path Rules License: Any Supported Devices: Series 3, 3D9900 Fast-path...
  • Page 237 Chapter 6 Managing Devices Editing Device Configuration Step 9 Optionally, if you chose the TCP or UDP protocol in step...
  • Page 238 Chapter 6 Managing Devices Configuring Interfaces Your changes are saved. Note that your changes do not take effect until...
  • Page 239Chapter 6 Managing Devices Configuring Interfaces Table 6-6 Interfaces Table View Fields Field Description Link The current link state of...
  • Page 240 Chapter 6 Managing Devices Configuring Interfaces See the following sections for details on the different ways you can configure...
  • Page 241 Chapter 6 Managing Devices Configuring Interfaces The range within which you can set the MTU can vary depending on the...
  • Page 242 Chapter 6 Managing Devices Configuring Interfaces Step 8 In the MTU field, type a maximum transmission unit (MTU), which...
  • Page 243 Chapter 6 Managing Devices Configuring Interfaces Supported Devices: ASA FirePOWER When editing an ASA FirePOWER interface, you can configure only...
  • Page 244 Chapter 6 Managing Devices Configuring Interfaces Step 3 Next to the interface you want to disable, click the edit...
  • Page 245: Setting Up an IPS Device CH A P T E R 7 Setting Up an IPS Device You can configure your device in either...
  • Page 246 Chapter 7 Setting Up an IPS Device Configuring Passive Interfaces Interfaces, page 7-10. Caution Changing the maximum transmission unit...
  • Page 247 Chapter 7 Setting Up an IPS Device Understanding Inline IPS Deployments Understanding Inline IPS Deployments License: Protection In an inline...
  • Page 248 Chapter 7 Setting Up an IPS Device Configuring Inline Sets Step 7 Select the Enabled check box to allow...
  • Page 249 Chapter 7 Setting Up an IPS Device Configuring Inline Sets Table 7-1 Inline Sets Table View Fields Field Description Name...
  • Page 250 Chapter 7 Setting Up an IPS Device Configuring Inline Sets Your network may be set up to route traffic...
  • Page 251 Chapter 7 Setting Up an IPS Device Configuring Inline Sets Step 8 Optionally, select Failsafe to specify that traffic is...
  • Page 252 Chapter 7 Setting Up an IPS Device Configuring Inline Sets Note that you cannot enable this option and strict...
  • Page 253 Chapter 7 Setting Up an IPS Device Configuring Inline Sets Step 2 Next to the device where you want to...
  • Page 254 Chapter 7 Setting Up an IPS Device Configuring Sourcefire Software for X-Series Interfaces Step 1 Open a terminal window...
  • Page 255Chapter 7 Setting Up an IPS Device Configuring Sourcefire Software for X-Series Interfaces You cannot reconfigure Sourcefire Software for X-Series...
  • Page 256 Chapter 7 Setting Up an IPS Device Configuring Sourcefire Software for X-Series Interfaces FireSIGHT System User Guide 7-12
  • Page 257: Setting Up Virtual Switches CH A P T E R 8 Setting Up Virtual Switches You can configure a managed device in a...
  • Page 258 Chapter 8 Setting Up Virtual Switches Configuring Switched Interfaces You can set up switched interfaces to have either physical...
  • Page 259 Chapter 8 Setting Up Virtual Switches Configuring Switched Interfaces Step 6 Optionally, from the Virtual Switch drop-down list, select an...
  • Page 260 Chapter 8 Setting Up Virtual Switches Configuring Switched Interfaces Step 1 Select Devices > Device Management. The Device Management...
  • Page 261 Chapter 8 Setting Up Virtual Switches Configuring Virtual Switches Step 2 Select the managed device that contains the switched interface...
  • Page 262 Chapter 8 Setting Up Virtual Switches Configuring Virtual Switches Table 8-1 Virtual Switches Table View Fields (continued) Field Description...
  • Page 263 Chapter 8 Setting Up Virtual Switches Configuring Virtual Switches Tip Interfaces that you have disabled from the Interfaces tab are...
  • Page 264 Chapter 8 Setting Up Virtual Switches Configuring Virtual Switches • non-SYN-ACK/RST packets from the responder on a TCP connection...
  • Page 265 Chapter 8 Setting Up Virtual Switches Configuring Virtual Switches Step 13 Click Save. Your changes are saved. Note that your...
  • Page 266 Chapter 8 Setting Up Virtual Switches Configuring Virtual Switches FireSIGHT System User Guide 8-10
  • Page 267: Setting Up Virtual Routers CH A P T E R 9 Setting Up Virtual Routers You can configure a managed device in a...
  • Page 268 Chapter 9 Setting Up Virtual Routers Configuring Routed Interfaces The system handles traffic that has been received with VLAN...
  • Page 269Chapter 9 Setting Up Virtual Routers Configuring Routed Interfaces The Edit Interface pop-up window appears. Step 4 Click Routed to...
  • Page 270 Chapter 9 Setting Up Virtual Routers Configuring Routed Interfaces The IP address is added. To edit an IP address,...
  • Page 271Chapter 9 Setting Up Virtual Routers Configuring Routed Interfaces To add a logical routed interface: Access: Admin/Network Admin Step 1...
  • Page 272 Chapter 9 Setting Up Virtual Routers Configuring Routed Interfaces Step 17 Click OK. The IP address is added. To...
  • Page 273 Chapter 9 Setting Up Virtual Routers Configuring Routed Interfaces The interface is deleted. Note that your changes do not take...
  • Page 274 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Step 6 For Type, select SFRP to display the SFRP...
  • Page 275 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Table 9-1 Virtual Routers Table View Fields Field Description Name The...
  • Page 276 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers • Setting Up Virtual Router Filters, page 9-28 • Adding...
  • Page 277 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers DHCP provides configuration parameters to Internet hosts. A DHCP client that...
  • Page 278 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Setting Up DHCPv6 Relay License: Control Supported Devices: Series 3...
  • Page 279 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Static routing allows you to write rules about the IP addresses...
  • Page 280 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Step 2 Next to the device where you want to...
  • Page 281 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers See the following sections for more information: • Setting Up RIP...
  • Page 282 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers The Add an Interface pop-up window appears. Step 8 From...
  • Page 283 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Step 7 Under Authentication, use the Profile drop-down list to select...
  • Page 284 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers • Always — always honor requests • Neighbor — only...
  • Page 285 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Tip To change the order of the import filters, click the...
  • Page 286 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Step 11 Click Save. Your changes are saved. Note that...
  • Page 287Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers To add an OSPF area: Access: Admin/Network Admin Step 1 Select...
  • Page 288 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Tip To edit a network, click the edit icon (...
  • Page 289Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Priority Enter a numerical value that specifies the priority value used...
  • Page 290 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers The Device Management page appears. Step 2 Next to the...
  • Page 291Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers All areas in an OSPF autonomous system must be physically connected...
  • Page 292 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers The OSPF area is saved. Step 19 Click Save. Your...
  • Page 293 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Your changes are saved. Note that your changes do not take...
  • Page 294 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Setting Up Virtual Router Filters License: Control Supported Devices: Series...
  • Page 295Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Step 1 Select Devices > Device Management. The Device Management page...
  • Page 296 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers Your changes are saved. Note that your changes do not...
  • Page 297 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers The authentication profile is added. Step 12 Click Save. Your changes...
  • Page 298 Chapter 9 Setting Up Virtual Routers Configuring Virtual Routers The Interfaces tab for that device appears. Step 3 Click...
  • Page 299: Setting Up Hybrid Interfaces CH A P T E R 10 Setting Up Hybrid Interfaces You can configure logical hybrid interfaces on managed...
  • Page 300 Chapter 10 Setting Up Hybrid Interfaces Adding Logical Hybrid Interfaces To edit an existing hybrid interface, click the edit...
  • Page 301 Chapter 10 Setting Up Hybrid Interfaces Adding Logical Hybrid Interfaces Step 15 For Type, select either Normal or SFRP. For...
  • Page 302 Chapter 10 Setting Up Hybrid Interfaces Adding Logical Hybrid Interfaces The interface is deleted. Note that your changes do...
  • Page 303: Using Gateway VPNs CH A P T E R 11 Using Gateway VPNs A virtual private network (VPN) is a network connection...
  • Page 304 Chapter 11 Using Gateway VPNs Understanding VPN Deployments Security associations (SA) establish shared security attributes between two devices and...
  • Page 305 Chapter 11 Using Gateway VPNs Understanding VPN Deployments See Configuring Point-to-Point VPN Deployments, page 11-6 for more information. Understanding Star...
  • Page 306 Chapter 11 Using Gateway VPNs Understanding VPN Deployments See Configuring Star VPN Deployments, page 11-9 for more information. Understanding...
  • Page 307Chapter 11 Using Gateway VPNs Managing VPN Deployments See Configuring Mesh VPN Deployments, page 11-11 for more information. Managing VPN...
  • Page 308 Chapter 11 Using Gateway VPNs Managing VPN Deployments Table 11-1 VPN Deployment Management Actions To... You can... create a...
  • Page 309Chapter 11 Using Gateway VPNs Managing VPN Deployments Name Give the deployment a unique name. Type Click PTP to specify...
  • Page 310 Chapter 11 Using Gateway VPNs Managing VPN Deployments Public IKE Port If you selected Internal IP, specify a single...
  • Page 311 Chapter 11 Using Gateway VPNs Managing VPN Deployments Note that you must apply the deployment for it to take effect;...
  • Page 312 Chapter 11 Using Gateway VPNs Managing VPN Deployments Note that VPN endpoints cannot have the same IP address and...
  • Page 313 Chapter 11 Using Gateway VPNs Managing VPN Deployments Step 11 Click Save. The hub node is added to your deployment...
  • Page 314 Chapter 11 Using Gateway VPNs Managing VPN Deployments IP Address – If you selected a managed device as an...
  • Page 315 Chapter 11 Using Gateway VPNs Managing VPN Deployments Step 5 Give the deployment a unique Pre-shared Key. Step 6 Next...
  • Page 316 Chapter 11 Using Gateway VPNs Managing VPN Deployments Life Time Specify a numerical value and select a time unit...
  • Page 317 Chapter 11 Using Gateway VPNs Managing VPN Deployments To apply a VPN deployment: Access: Admin/Network Admin Step 1 Select Devices...
  • Page 318 Chapter 11 Using Gateway VPNs Managing VPN Deployments Viewing VPN Statistics and Logs License: VPN Supported Devices: Series 3...
  • Page 319 Chapter 11 Using Gateway VPNs Managing VPN Deployments IKE Algorithm The IKE algorithm being used by the VPN deployment. IPSec...
  • Page 320 Chapter 11 Using Gateway VPNs Managing VPN Deployments • Green indicates that the highlighted setting appears in one deployment...
  • Page 321: Using NAT Policies CH A P T E R 12 Using NAT Policies A network address translation (NAT) policy determines how the...
  • Page 322 Chapter 12 Using NAT Policies Planning and Implementing a NAT Policy Planning and Implementing a NAT Policy License: Any...
  • Page 323 Chapter 12 Using NAT Policies Configuring NAT Policies Caution In clustered configurations, only select an individual peer interface for a...
  • Page 324 Chapter 12 Using NAT Policies Configuring NAT Policies Before you can apply a NAT policy, you must identify the...
  • Page 325Chapter 12 Using NAT Policies Organizing Rules in a NAT Policy Step 4 Optionally, click the Search prompt above the...
  • Page 326 Chapter 12 Using NAT Policies Organizing Rules in a NAT Policy Note You can copy, but not cut static...
  • Page 327 Chapter 12 Using NAT Policies Managing NAT Policies Table 12-4 Preempted Rule Warning Actions To... You can... show warnings click...
  • Page 328 Chapter 12 Using NAT Policies Managing NAT Policies Table 12-5 NAT Policy Management Actions (continued) To... You can... copy...
  • Page 329 Chapter 12 Using NAT Policies Managing NAT Policies The NAT policy Edit page appears. For information on configuring your new...
  • Page 330 Chapter 12 Using NAT Policies Managing NAT Policies Your changes are discarded and the NAT page appears. Copying a...
  • Page 331 Chapter 12 Using NAT Policies Managing NAT Policies Table 12-6 NAT Policy Report Sections (continued) Section Description Policy Information Provides...
  • Page 332 Chapter 12 Using NAT Policies Managing NAT Policies • Using the NAT Policy Comparison View, page 12-12 • Using...
  • Page 333 Chapter 12 Using NAT Policies Managing NAT Policies described in the NAT Policy Report Sections table. To compare two NAT...
  • Page 334 Chapter 12 Using NAT Policies Managing NAT Policies • You can apply two different NAT policies to different devices,...
  • Page 335 Chapter 12 Using NAT Policies Creating and Editing NAT Rules Applying Selected Policy Configurations License: Control Supported Devices: Series 3...
  • Page 336 Chapter 12 Using NAT Policies Creating and Editing NAT Rules The web interface for adding or editing a rule...
  • Page 337Chapter 12 Using NAT Policies Understanding NAT Rule Types Tip You can use the right-click context menu to perform many...
  • Page 338 Chapter 12 Using NAT Policies Understanding NAT Rule Types Dynamic IP Only Dynamic IP Only rules translate many-to-many source...
  • Page 339 Chapter 12 Using NAT Policies Understanding NAT Rule Conditions and Condition Mechanics Table 12-8 Available NAT Rule Condition Types per...
  • Page 340 Chapter 12 Using NAT Policies Understanding NAT Rule Conditions and Condition Mechanics Table 12-9 NAT Rule Condition Types Supported...
  • Page 341Chapter 12 Using NAT Policies Understanding NAT Rule Conditions and Condition Mechanics Table 12-10 Adding Conditions to NAT Rules (continued)...
  • Page 342 Chapter 12 Using NAT Policies Understanding NAT Rule Conditions and Condition Mechanics The policy Edit page appears. Step 3...
  • Page 343 Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules Adding Literal Conditions to NAT Rules...
  • Page 344 Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules • Adding Port Conditions to...
  • Page 345 Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules Note In a static NAT rule,...
  • Page 346 Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules Caution If a network object...
  • Page 347 Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules You add ranges in the following...
  • Page 348 Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules The list updates as you...
  • Page 349Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules Caution If a port object or...
  • Page 350 Chapter 12 Using NAT Policies Working with Different Types of Conditions in NAT Rules The list updates to display...
  • Page 351: Using Access Control Policies CH A P T E R 13 Using Access Control Policies An access control policy determines how the system...
  • Page 352 Chapter 13 Using Access Control Policies This chapter contains information on creating a basic access control policy (including Security...
  • Page 353 Chapter 13 Using Access Control Policies Configuring Policies Table 13-1 License and Appliance Requirements for Access Control (continued) To one...
  • Page 354 Chapter 13 Using Access Control Policies Configuring Policies Table 13-2 Access Control Policy Configuration Actions To... You can... modify...
  • Page 355 Chapter 13 Using Access Control Policies Configuring Policies • is not blacklisted by Security Intelligence • does not match...
  • Page 356 Chapter 13 Using Access Control Policies Configuring Policies The diagram below illustrates the Intrusion Prevention and Network Discovery Only...
  • Page 357 Chapter 13 Using Access Control Policies Configuring Policies Logging Connections for the Default Action License: Any You must decide whether...
  • Page 358 Chapter 13 Using Access Control Policies Configuring Policies • To send connection events to syslog, select Syslog, then select...
  • Page 359 Chapter 13 Using Access Control Policies Configuring Policies • the edit icon ( ) does not appear on the Access...
  • Page 360 Chapter 13 Using Access Control Policies Configuring Policies To manage targeted devices in an access control policy: Access: Admin/Access...
  • Page 361Chapter 13 Using Access Control Policies Configuring Policies You can either display a generic Cisco-provided response page, or you can...
  • Page 362 Chapter 13 Using Access Control Policies Configuring Policies Filtering Traffic Based on Security Intelligence Data License: Protection Supported Devices:...
  • Page 363Chapter 13 Using Access Control Policies Configuring Policies lists, see Working with the Global Whitelist and Blacklist, page 5-6. Finally,...
  • Page 364 Chapter 13 Using Access Control Policies Configuring Policies Logging Blacklisted Connections Logging blacklisted connections allows you to generate a...
  • Page 365Chapter 13 Using Access Control Policies Configuring Policies Use the Security Intelligence tab in the access control policy to configure...
  • Page 366 Chapter 13 Using Access Control Policies Configuring Policies By default, objects are not constrained, that is, they have a...
  • Page 367 Chapter 13 Using Access Control Policies Configuring Policies Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER Supported Defense Centers: Any...
  • Page 368 Chapter 13 Using Access Control Policies Configuring Policies Because the decision to blacklist a connection occurs before the network...
  • Page 369Chapter 13 Using Access Control Policies Configuring Policies • When you log an end-of-connection event to the Defense Center database...
  • Page 370 Chapter 13 Using Access Control Policies Configuring Policies Table 13-6 Advanced Access Control File and Malware Detection Options Field...
  • Page 371 Chapter 13 Using Access Control Policies Configuring Policies Table 13-6 Advanced Access Control File and Malware Detection Options (continued) Field...
  • Page 372 Chapter 13 Using Access Control Policies Organizing Rules in a Policy Organizing Rules in a Policy License: Any The...
  • Page 373 Chapter 13 Using Access Control Policies Organizing Rules in a Policy Table 13-7 Access Control Rule Organization Actions (continued) To......
  • Page 374 Chapter 13 Using Access Control Policies Organizing Rules in a Policy Step 2 Click the edit icon ( )...
  • Page 375 Chapter 13 Using Access Control Policies Organizing Rules in a Policy Matches may occur on any page of a multi-page...
  • Page 376 Chapter 13 Using Access Control Policies Organizing Rules in a Policy Step 2 Click the edit icon ( )...
  • Page 377 Chapter 13 Using Access Control Policies Managing Access Control Policies For all of these situations, warnings or errors appear in...
  • Page 378 Chapter 13 Using Access Control Policies Managing Access Control Policies You can use either of these policies the same...
  • Page 379 Chapter 13 Using Access Control Policies Managing Access Control Policies Step 1 Select Policies > Access Control. The Access Control...
  • Page 380 Chapter 13 Using Access Control Policies Managing Access Control Policies The Access Control page appears. Step 2 Click the...
  • Page 381 Chapter 13 Using Access Control Policies Managing Access Control Policies An access control policy report is a record of the...
  • Page 382 Chapter 13 Using Access Control Policies Managing Access Control Policies The system generates the report. Depending on your browser...
  • Page 383 Chapter 13 Using Access Control Policies Managing Access Control Policies Table 13-10 Access Control Policy Comparison View Actions To... You...
  • Page 384 Chapter 13 Using Access Control Policies Managing Access Control Policies Step 4 Depending on the comparison type you selected,...
  • Page 385 Chapter 13 Using Access Control Policies Managing Access Control Policies • You cannot apply an access control policy to stacked...
  • Page 386 Chapter 13 Using Access Control Policies Managing Access Control Policies Step 1 Select Policies > Access Control. The Access...
  • Page 387Chapter 13 Using Access Control Policies Managing Access Control Policies The Intrusion Policies Column The Intrusion Policies column provides one...
  • Page 388 Chapter 13 Using Access Control Policies Managing Access Control Policies Note A pop-up window may warn that you have...
  • Page 389: Understanding and Writing Access Control Rules CH A P T E R 14 Understanding and Writing Access Control Rules A set of access control rules...
  • Page 390 Chapter 14 Understanding and Writing Access Control Rules Creating and Editing Access Control Rules Table 14-1 License Requirements for...
  • Page 391Chapter 14 Understanding and Writing Access Control Rules Creating and Editing Access Control Rules When you apply an access control...
  • Page 392 Chapter 14 Understanding and Writing Access Control Rules Creating and Editing Access Control Rules When you add a rule...
  • Page 393Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Actions To create or edit an access control rule: Access:...
  • Page 394 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Actions The access control policy’s default action handles traffic...
  • Page 395Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Actions Trust The Trust action allows traffic to pass without...
  • Page 396 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Conditions and Condition Mechanics You can log blocked network...
  • Page 397 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Conditions and Condition Mechanics For each condition type, you select...
  • Page 398 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Conditions and Condition Mechanics If you do not configure...
  • Page 399 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Conditions and Condition Mechanics Table 14-2 Access Control Rule Condition...
  • Page 400 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Conditions and Condition Mechanics You can add up to...
  • Page 401 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Conditions and Condition Mechanics Table 14-3 Adding Conditions (continued) To......
  • Page 402 Chapter 14 Understanding and Writing Access Control Rules Understanding Rule Conditions and Condition Mechanics Your rule is added and...
  • Page 403 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions • URLs For all but port...
  • Page 404 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions • Adding User Conditions, page...
  • Page 405 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions Conditions you select are highlighted. The...
  • Page 406 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions To add network conditions to...
  • Page 407Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions Note To apply an access control...
  • Page 408 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions Adding VLAN Tag Conditions License:...
  • Page 409 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions The list updates to display your...
  • Page 410 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions Step 2 Optionally, click the...
  • Page 411 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions When the system processes an access...
  • Page 412 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions • You cannot select a...
  • Page 413Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions Note that selecting a custom application...
  • Page 414 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions You must apply the access...
  • Page 415 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions Errors, page 13-26 for more information...
  • Page 416 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions The FireSIGHT System allows you...
  • Page 417Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions • If you want the rule...
  • Page 418 Chapter 14 Understanding and Writing Access Control Rules Working with Different Types of Conditions Alternately, relying on category and...
  • Page 419 Chapter 14 Understanding and Writing Access Control Rules Performing File and Intrusion Inspection on Allowed Traffic Step 6 Optionally, click...
  • Page 420 Chapter 14 Understanding and Writing Access Control Rules Performing File and Intrusion Inspection on Allowed Traffic Tip The system...
  • Page 421Chapter 14 Understanding and Writing Access Control Rules Performing File and Intrusion Inspection on Allowed Traffic For detailed information on...
  • Page 422 Chapter 14 Understanding and Writing Access Control Rules Logging Connection, File, and Malware Information Step 3 Click Add Rule....
  • Page 423 Chapter 14 Understanding and Writing Access Control Rules Logging Connection, File, and Malware Information To optimize performance, Cisco recommends that...
  • Page 424 Chapter 14 Understanding and Writing Access Control Rules Logging Connection, File, and Malware Information In general, if you want...
  • Page 425Chapter 14 Understanding and Writing Access Control Rules Logging Connection, File, and Malware Information Tip Even though the rule action...
  • Page 426 Chapter 14 Understanding and Writing Access Control Rules Logging Connection, File, and Malware Information For connections where an intrusion...
  • Page 427Chapter 14 Understanding and Writing Access Control Rules Adding Comments to a Rule Step 5 Specify whether you want to...
  • Page 428 Chapter 14 Understanding and Writing Access Control Rules Adding Comments to a Rule To add a comment to a...
  • Page 429: Configuring External Alerting CH A P T E R 15 Configuring External Alerting While the FireSIGHT System provides various views of events...
  • Page 430 Chapter 15 Configuring External Alerting Working with Alert Responses There is another type of alerting you can perform in...
  • Page 431 Chapter 15 Configuring External Alerting Working with Alert Responses Note If you configure an alert as a response to a...
  • Page 432 Chapter 15 Configuring External Alerting Working with Alert Responses To change the server, or if you have not yet...
  • Page 433 Chapter 15 Configuring External Alerting Working with Alert Responses Step 10 In the Privacy Password field, type the privacy password...
  • Page 434 Chapter 15 Configuring External Alerting Working with Alert Responses Table 15-2 Available Syslog Facilities (continued) Facility Description DAEMON A...
  • Page 435 Chapter 15 Configuring External Alerting Working with Alert Responses Step 4 In the Port field, type the port the server...
  • Page 436 Chapter 15 Configuring External Alerting Configuring Impact Flag Alerting Step 1 Select Policies > Actions > Alerts. The Alerts...
  • Page 437Chapter 15 Configuring External Alerting Configuring Discovery Event Alerting Step 4 Click Save. Your impact flag alerting settings are saved....
  • Page 438 Chapter 15 Configuring External Alerting Configuring Advanced Malware Protection Alerting To configure malware event alerting: Access: Admin Step 1...
  • Page 439: Working with Connection & Security Intelligence Data CH A P T E R 16 Working with Connection & Security Intelligence Data FireSIGHT System managed devices continuously...
  • Page 440 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data Understanding Connection Data License: Any For networks...
  • Page 441 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data Table 16-1 License Requirements for Logging Connection Data...
  • Page 442 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data Each connection summary includes total traffic statistics,...
  • Page 443Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data Each connection table view or connection graph contains...
  • Page 444 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data – Default Action indicates the connection was...
  • Page 445Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data Files The file events, if any, associated with...
  • Page 446 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data IOC Whether or not the event triggered...
  • Page 447Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data – Intrusion Monitor indicates the system detected, but...
  • Page 448 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data If the system cannot identify the specific...
  • Page 449 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data Other Configurations An advanced setting in the access...
  • Page 450 Chapter 16 Working with Connection & Security Intelligence Data Understanding Connection Data Table 16-2 Connection and Security Intelligence Data...
  • Page 451 Chapter 16 Working with Connection & Security Intelligence Data Viewing Connection and Security Intelligence Data Table 16-2 Connection and Security...
  • Page 452 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Each table view or graph contains...
  • Page 453Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Because traffic profiles are based on connection...
  • Page 454 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs • Recentering and Zooming on Line...
  • Page 455Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Bar graphs display data grouped into discrete...
  • Page 456 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Follow the directions in the following...
  • Page 457Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs On bar graphs, multiple datasets appear as...
  • Page 458 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Table 16-5 Dataset Options If the...
  • Page 459 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Connection graphs are based on aggregated data...
  • Page 460 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Drilling Down Through Connection Data Graphs...
  • Page 461 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs The graph is redrawn, centered on the...
  • Page 462 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection Graphs Table 16-7 Y-Axis Functions To... You...
  • Page 463Chapter 16 Working with Connection & Security Intelligence Data Working with Connection and Security Intelligence Data Tables To export connection...
  • Page 464 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection and Security Intelligence Data Tables Note that...
  • Page 465 Chapter 16 Working with Connection & Security Intelligence Data Working with Connection and Security Intelligence Data Tables • to constrain...
  • Page 466 Chapter 16 Working with Connection & Security Intelligence Data Searching for Connection and Security Intelligence Data • Many IMAP-capable...
  • Page 467Chapter 16 Working with Connection & Security Intelligence Data Searching for Connection and Security Intelligence Data Also, keep in mind...
  • Page 468 Chapter 16 Working with Connection & Security Intelligence Data Searching for Connection and Security Intelligence Data Table 16-8 Connection...
  • Page 469Chapter 16 Working with Connection & Security Intelligence Data Viewing the Connection Summary Page • Click Save as New Search...
  • Page 470 Chapter 16 Working with Connection & Security Intelligence Data Viewing the Connection Summary Page FireSIGHT System User Guide 16-32...
  • Page 471: Introduction to Intrusion Prevention CH A P T E R 17 Introduction to Intrusion Prevention You can deploy your FireSIGHT System both to...
  • Page 472 Chapter 17 Introduction to Intrusion Prevention Understanding How Traffic Is Analyzed To learn more about how a FireSIGHT System...
  • Page 473 Chapter 17 Introduction to Intrusion Prevention Understanding How Traffic Is Analyzed • a network layer decoder, such as the IP...
  • Page 474 Chapter 17 Introduction to Intrusion Prevention Understanding How Traffic Is Analyzed As the system captures packets, it sends them...
  • Page 475 Chapter 17 Introduction to Intrusion Prevention Understanding How Traffic Is Analyzed After the packets are decoded through the first three...
  • Page 476 Chapter 17 Introduction to Intrusion Prevention Analyzing Intrusion Event Data For example, if the packet decoder receives an IP...
  • Page 477Chapter 17 Introduction to Intrusion Prevention Using Intrusion Event Responses For more information, see Understanding and Using Workflows, page 47-1...
  • Page 478 Chapter 17 Introduction to Intrusion Prevention Understanding Intrusion Prevention Deployments Sensing traffic out-of-band allows you to devote almost all...
  • Page 479 Chapter 17 Introduction to Intrusion Prevention The Benefits of Custom Intrusion Policies In an inline deployment, you can also replace...
  • Page 480 Chapter 17 Introduction to Intrusion Prevention The Benefits of Custom Intrusion Policies Within the intrusion policy, you can also...
  • Page 481: Working with Intrusion Events CH A P T E R 18 Working with Intrusion Events The FireSIGHT System can help you monitor your...
  • Page 482 Chapter 18 Working with Intrusion Events Viewing Intrusion Event Statistics • Understanding Workflow Pages for Intrusion Events, page 18-14...
  • Page 483 Chapter 18 Working with Intrusion Events Viewing Intrusion Event Statistics To view intrusion event statistics: Access: Admin/Intrusion Admin Step 1...
  • Page 484 Chapter 18 Working with Intrusion Events Viewing Intrusion Event Performance These statistics include the following: • Events shows the...
  • Page 485 Chapter 18 Working with Intrusion Events Viewing Intrusion Event Performance Generating Intrusion Event Performance Statistics Graphs License: Protection You can...
  • Page 486 Chapter 18 Working with Intrusion Events Viewing Intrusion Event Graphs Viewing Intrusion Event Graphs License: Protection The FireSIGHT System...
  • Page 487 Chapter 18 Working with Intrusion Events Viewing Intrusion Events If you perform a backup and then delete reviewed intrusion events,...
  • Page 488 Chapter 18 Working with Intrusion Events Viewing Intrusion Events The following list describes the information that an intrusion event...
  • Page 489Chapter 18 Working with Intrusion Events Viewing Intrusion Events same area of the network analysis policy, you can also specify...
  • Page 490 Chapter 18 Working with Intrusion Events Viewing Intrusion Events Application Protocol The application protocol, if available, which represents communications...
  • Page 491Chapter 18 Working with Intrusion Events Viewing Intrusion Events Security Context The metadata identifying the virtual firewall group through which...
  • Page 492 Chapter 18 Working with Intrusion Events Viewing Intrusion Events This column displays the first fifty characters of the extracted...
  • Page 493 Chapter 18 Working with Intrusion Events Viewing Intrusion Events The first page of the default intrusion events workflow appears. Viewing...
  • Page 494 Chapter 18 Working with Intrusion Events Understanding Workflow Pages for Intrusion Events To view events previously marked reviewed: Access:...
  • Page 495Chapter 18 Working with Intrusion Events Using Drill-Down and Table View Pages When you “drill down” to find more information...
  • Page 496 Chapter 18 Working with Intrusion Events Using Drill-Down and Table View Pages • the table view of intrusion events...
  • Page 497 Chapter 18 Working with Intrusion Events Using Drill-Down and Table View Pages Table 18-2 Intrusion Event Common Features (continued) To......
  • Page 498 Chapter 18 Working with Intrusion Events Using Drill-Down and Table View Pages Table 18-3 Constraining Events on Drill-Down Pages...
  • Page 499Chapter 18 Working with Intrusion Events Using the Packet View Tip At any point in the process, you can save...
  • Page 500 Chapter 18 Working with Intrusion Events Using the Packet View Table 18-5 Packet View Actions To... You can... modify...
  • Page 501 Chapter 18 Working with Intrusion Events Using the Packet View Step 1 On the table view of intrusion events, select...
  • Page 502 Chapter 18 Working with Intrusion Events Using the Packet View Ingress Interface The ingress interface of the packet that...
  • Page 503Chapter 18 Working with Intrusion Events Using the Packet View Note that HTTP request packets do not always include a...
  • Page 504 Chapter 18 Working with Intrusion Events Using the Packet View Using Packet View Actions License: Protection On the packet...
  • Page 505 Chapter 18 Working with Intrusion Events Using the Packet View Note You cannot set shared object rules to generate events...
  • Page 506 Chapter 18 Working with Intrusion Events Using the Packet View Note that the current policy option appears only when...
  • Page 507 Chapter 18 Working with Intrusion Events Using the Packet View Step 3 In the IP address or CIDR block field,...
  • Page 508 Chapter 18 Working with Intrusion Events Using the Packet View Protocols in frame The protocols included in the frame....
  • Page 509 Chapter 18 Working with Intrusion Events Using the Packet View Viewing IPv4 Network Layer Information License: Protection The following listing...
  • Page 510 Chapter 18 Working with Intrusion Events Using the Packet View Header Checksum The indicator for whether the IP checksum...
  • Page 511 Chapter 18 Working with Intrusion Events Using the Packet View Viewing Transport Layer Information License: Protection On the packet view,...
  • Page 512 Chapter 18 Working with Intrusion Events Using the Packet View – P — the receiver should push data –...
  • Page 513 Chapter 18 Working with Intrusion Events Using Impact Levels to Evaluate Events – 4 — source quench – 5 —...
  • Page 514 Chapter 18 Working with Intrusion Events Using Impact Levels to Evaluate Events Table 18-6 Impact Levels Impact Level Vulnerability...
  • Page 515 Chapter 18 Working with Intrusion Events Searching for Intrusion Events Tip To reverse the sort order, click Impact again. Searching...
  • Page 516 Chapter 18 Working with Intrusion Events Searching for Intrusion Events Destination IP Specify the IP address used by the...
  • Page 517Chapter 18 Working with Intrusion Events Searching for Intrusion Events Note that there is no Protocol column in the intrusion...
  • Page 518 Chapter 18 Working with Intrusion Events Searching for Intrusion Events Table 18-7 Snort ID Search Values (continued) Value Example...
  • Page 519Chapter 18 Working with Intrusion Events Searching for Intrusion Events Security Zone (Ingress, Egress, Ingress/Egress) Type the name of a...
  • Page 520 Chapter 18 Working with Intrusion Events Searching for Intrusion Events Email Recipient Specify the address of the email recipient...
  • Page 521 Chapter 18 Working with Intrusion Events Using the Clipboard • Click Save as New Search to save the search criteria....
  • Page 522 Chapter 18 Working with Intrusion Events Using the Clipboard The Generate Report pop-up dialog appears. Step 5 Select one...
  • Page 523: Handling Incidents CH A P T E R 19 Handling Incidents Incident handling refers to the response an organization takes when...
  • Page 524 Chapter 19 Handling Incidents Incident Handling Basics Generally, an incident is defined as one or more intrusion events that...
  • Page 525Chapter 19 Handling Incidents Incident Handling Basics The managed devices that you deploy on your network are responsible for analyzing...
  • Page 526 Chapter 19 Handling Incidents Incident Handling Basics • the time zone • whether you had any contact with an...
  • Page 527 Chapter 19 Handling Incidents Creating an Incident • Damage • Unknown You can also create your own incident types, as...
  • Page 528 Chapter 19 Handling Incidents Generating Incident Reports To edit an incident: Access: Admin/Intrusion Admin Step 1 Select Analysis >...
  • Page 529Chapter 19 Handling Incidents Creating Custom Incident Types In either case, the Generate Report page appears, including the options for...
  • Page 530 Chapter 19 Handling Incidents Creating Custom Incident Types Step 3 In the Type area, click Types. The incident management...
  • Page 531: Configuring Intrusion Policies CH A P T E R 20 Configuring Intrusion Policies An intrusion policy is a defined set of intrusion...
  • Page 532 Chapter 20 Configuring Intrusion Policies Planning and Implementing an Intrusion Policy • Using Advanced Settings in an Intrusion Policy,...
  • Page 533Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies 3. Define your security policies. Security policies include your internal security guidelines,...
  • Page 534 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies The following table describes the actions you can take to manage...
  • Page 535 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies Creating an Intrusion Policy License: Protection You can create one or more...
  • Page 536 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies You must apply the appropriate access control policy to put your...
  • Page 537Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies Table 20-2 Common Intrusion Policy Editing Actions (continued) To... You can... display...
  • Page 538 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies Using the Navigation Panel License: Protection A navigation panel appears on...
  • Page 539 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies The following might also occur when you commit your changes: • If...
  • Page 540 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies • If the Snort version on the Defense Center differs from...
  • Page 541 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies Table 20-3 Intrusion Policy Report Sections Section Description Title Page Identifies the...
  • Page 542 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies To review policy changes for compliance with your organization’s standards or...
  • Page 543 Chapter 20 Configuring Intrusion Policies Managing Intrusion Policies Table 20-4 Intrusion Policy Comparison View Actions (continued) To... You can... generate...
  • Page 544 Chapter 20 Configuring Intrusion Policies Setting Drop Behavior in an Inline Deployment • To compare two revisions of the...
  • Page 545Chapter 20 Configuring Intrusion Policies Setting Drop Behavior in an Inline Deployment Tip The event type is always Would have...
  • Page 546 Chapter 20 Configuring Intrusion Policies Understanding the Base Policy Step 4 Save your policy, continue editing, discard your changes,...
  • Page 547 Chapter 20 Configuring Intrusion Policies Understanding the Base Policy This policy is built for both speed and detection. It serves...
  • Page 548 Chapter 20 Configuring Intrusion Policies Understanding the Base Policy Allowing Rule Updates to Modify the Base Policy License: Protection...
  • Page 549Chapter 20 Configuring Intrusion Policies Understanding the Base Policy You can select the base policy for your intrusion policy and,...
  • Page 550 Chapter 20 Configuring Intrusion Policies Understanding the Base Policy Accepting Rule Setting Changes from a Custom Base Policy License:...
  • Page 551: Managing Rules in an Intrusion Policy CH A P T E R 21 Managing Rules in an Intrusion Policy You can use the Rules page...
  • Page 552 Chapter 21 Managing Rules in an Intrusion Policy Understanding Intrusion Prevention Rule Types • Using Layers in an Intrusion...
  • Page 553 Chapter 21 Managing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy...
  • Page 554 Chapter 21 Managing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy Table 21-2 Rules Page Columns...
  • Page 555 Chapter 21 Managing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy The Intrusion Policy page appears....
  • Page 556 Chapter 21 Managing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy Table 21-3 Rule Details (continued)...
  • Page 557 Chapter 21 Managing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy Step 1 Click Add next to...
  • Page 558 Chapter 21 Managing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy The system adds your suppression...
  • Page 559 Chapter 21 Managing Rules in an Intrusion Policy Viewing Rules in an Intrusion Policy The system adds the dynamic rule...
  • Page 560 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy Filtering Rules in an Intrusion...
  • Page 561Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy Items in the filter panel sometimes...
  • Page 562 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy Note The Cisco VRT may...
  • Page 563 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy Table 21-4 Rule Filter Groups...
  • Page 564 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy The Rules page updates to...
  • Page 565 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy To use the Dynamic State filter:...
  • Page 566 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy For more information on the...
  • Page 567 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy Table 21-5 Rule Content Filters...
  • Page 568 Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy Keyword:”argument” where keyword is one...
  • Page 569Chapter 21 Managing Rules in an Intrusion Policy Filtering Rules in an Intrusion Policy You can also type a filter...
  • Page 570 Chapter 21 Managing Rules in an Intrusion Policy Setting Rule States Step 7 Save your policy, continue editing, discard...
  • Page 571Chapter 21 Managing Rules in an Intrusion Policy Setting Rule States The VRT sometimes uses a rule update to change...
  • Page 572 Chapter 21 Managing Rules in an Intrusion Policy Filtering Intrusion Event Notification Per Policy Filtering Intrusion Event Notification Per...
  • Page 573 Chapter 21 Managing Rules in an Intrusion Policy Filtering Intrusion Event Notification Per Policy Table 21-6 Thresholding Options Option...
  • Page 574 Chapter 21 Managing Rules in an Intrusion Policy Filtering Intrusion Event Notification Per Policy Note that you can use...
  • Page 575 Chapter 21 Managing Rules in an Intrusion Policy Filtering Intrusion Event Notification Per Policy • Construct a filter by clicking...
  • Page 576 Chapter 21 Managing Rules in an Intrusion Policy Filtering Intrusion Event Notification Per Policy If you have unsaved changes...
  • Page 577 Chapter 21 Managing Rules in an Intrusion Policy Filtering Intrusion Event Notification Per Policy • Viewing and Deleting Suppression Conditions,...
  • Page 578 Chapter 21 Managing Rules in an Intrusion Policy Filtering Intrusion Event Notification Per Policy • Select Rule to completely...
  • Page 579 Chapter 21 Managing Rules in an Intrusion Policy Adding Dynamic Rule States Step 5 Select the rule or rules for...
  • Page 580 Chapter 21 Managing Rules in an Intrusion Policy Adding Dynamic Rule States • the duration of the action, which...
  • Page 581Chapter 21 Managing Rules in an Intrusion Policy Adding Dynamic Rule States You set the number of hits for that...
  • Page 582 Chapter 21 Managing Rules in an Intrusion Policy Adding Alerts You can specify a single IP address, address block,...
  • Page 583Chapter 21 Managing Rules in an Intrusion Policy Adding Rule Comments To set an SNMP alert: Access: Admin/Intrusion Admin Step...
  • Page 584 Chapter 21 Managing Rules in an Intrusion Policy Managing FireSIGHT Rule State Recommendations To add a comment to a...
  • Page 585 Chapter 21 Managing Rules in an Intrusion Policy Managing FireSIGHT Rule State Recommendations You can use the FireSIGHT Recommended Rules...
  • Page 586 Chapter 21 Managing Rules in an Intrusion Policy Managing FireSIGHT Rule State Recommendations thresholds, and so on. See Setting...
  • Page 587 Chapter 21 Managing Rules in an Intrusion Policy Managing FireSIGHT Rule State Recommendations Lists of addresses within the hosts that...
  • Page 588 Chapter 21 Managing Rules in an Intrusion Policy Managing FireSIGHT Rule State Recommendations If you have unsaved changes in...
  • Page 589Chapter 21 Managing Rules in an Intrusion Policy Managing FireSIGHT Rule State Recommendations • Click Generate Recommendations if you want...
  • Page 590 Chapter 21 Managing Rules in an Intrusion Policy Managing FireSIGHT Rule State Recommendations FireSIGHT System User Guide 21-40
  • Page 591: Using Advanced Settings in an Intrusion Policy CH A P T E R 22 Using Advanced Settings in an Intrusion Policy Advanced settings are preprocessor and...
  • Page 592 Chapter 22 Using Advanced Settings in an Intrusion Policy Modifying Advanced Settings An advanced setting must be enabled for...
  • Page 593Chapter 22 Using Advanced Settings in an Intrusion Policy Modifying Advanced Settings Transport/Network Layer Preprocessors Network and transport layers preprocessors...
  • Page 594 Chapter 22 Using Advanced Settings in an Intrusion Policy Modifying Advanced Settings Table 22-6 Intrusion Rule Threshold Settings For...
  • Page 595Chapter 22 Using Advanced Settings in an Intrusion Policy Understanding Preprocessors To access the configuration page for an advanced setting...
  • Page 596 Chapter 22 Using Advanced Settings in an Intrusion Policy Understanding Preprocessors Events or, optionally, to Drop and Generate events...
  • Page 597 Chapter 22 Using Advanced Settings in an Intrusion Policy Understanding Preprocessors • Application Layer Application layer protocols like HTTP, Telnet,...
  • Page 598 Chapter 22 Using Advanced Settings in an Intrusion Policy Understanding Preprocessors Caution Preprocessors are executed based on your configuration....
  • Page 599 Chapter 22 Using Advanced Settings in an Intrusion Policy Understanding Preprocessors Note Events generated by standard text rules have...
  • Page 600 Chapter 22 Using Advanced Settings in an Intrusion Policy Automatically Enabling Advanced Settings Table 22-9 Generator IDs (continued) ID...
  • Page 601 Chapter 22 Using Advanced Settings in an Intrusion Policy Automatically Enabling Advanced Settings Table 22-10 Automatically Enabled Advanced Settings Advanced...
  • Page 602 Chapter 22 Using Advanced Settings in an Intrusion Policy Automatically Enabling Advanced Settings Table 22-10 Automatically Enabled Advanced Settings...
  • Page 603 Chapter 22 Using Advanced Settings in an Intrusion Policy Understanding Troubleshooting Options Understanding Troubleshooting Options License: Protection Support might ask...
  • Page 604 Chapter 22 Using Advanced Settings in an Intrusion Policy Understanding Troubleshooting Options Table 22-11 Troubleshooting Options (continued) Advanced setting...
  • Page 605: Using Layers in an Intrusion Policy CH A P T E R 23 Using Layers in an Intrusion Policy Larger organizations with many managed devices...
  • Page 606 Chapter 23 Using Layers in an Intrusion Policy Understanding Intrusion Policy Layers When the highest layer in your policy...
  • Page 607 Chapter 23 Using Layers in an Intrusion Policy Understanding Intrusion Policy Layers You can share any user-configurable layer with other...
  • Page 608 Chapter 23 Using Layers in an Intrusion Policy Understanding Intrusion Policy Layers Table 23-1 Rule Settings in Multiple Layers...
  • Page 609 Chapter 23 Using Layers in an Intrusion Policy Understanding Intrusion Policy Layers Step 3 Expand Policy Layers in the navigation...
  • Page 610 Chapter 23 Using Layers in an Intrusion Policy Understanding Intrusion Policy Layers Step 4 Locate the rule or rules...
  • Page 611 Chapter 23 Using Layers in an Intrusion Policy Understanding Intrusion Policy Layers recommendation-filtered views of the Rules page in read-only...
  • Page 612 Chapter 23 Using Layers in an Intrusion Policy Understanding Intrusion Policy Layers You can set the state (enabled or...
  • Page 613 Chapter 23 Using Layers in an Intrusion Policy Configuring User Layers Step 2 Click the edit icon ( ) next...
  • Page 614 Chapter 23 Using Layers in an Intrusion Policy Configuring User Layers Table 23-3 Policy Layer Configuration Actions (continued) To......
  • Page 615 Chapter 23 Using Layers in an Intrusion Policy Configuring User Layers Table 23-3 Policy Layer Configuration Actions (continued) To... You...
  • Page 616 Chapter 23 Using Layers in an Intrusion Policy Configuring User Layers The Policy Information page appears. Step 3 Click...
  • Page 617: Using Performance Settings in an Intrusion Policy CH A P T E R 24 Using Performance Settings in an Intrusion Policy Cisco provides several features for...
  • Page 618 Chapter 24 Using Performance Settings in an Intrusion Policy Understanding Packet Latency Thresholding The Policy Information page appears. Step...
  • Page 619Chapter 24 Using Performance Settings in an Intrusion Policy Understanding Packet Latency Thresholding As illustrated in the above figure, packet...
  • Page 620 Chapter 24 Using Performance Settings in an Intrusion Policy Understanding Packet Latency Thresholding • Configuring Packet Latency Thresholding, page...
  • Page 621Chapter 24 Using Performance Settings in an Intrusion Policy Understanding Rule Latency Thresholding To configure packet latency thresholding: Access: Admin/Intrusion...
  • Page 622 Chapter 24 Using Performance Settings in an Intrusion Policy Understanding Rule Latency Thresholding The trade-off for the performance and...
  • Page 623 Chapter 24 Using Performance Settings in an Intrusion Policy Understanding Rule Latency Thresholding In the second example, the time required...
  • Page 624 Chapter 24 Using Performance Settings in an Intrusion Policy Understanding Rule Latency Thresholding Table 24-3 Rule Latency Thresholding Options...
  • Page 625Chapter 24 Using Performance Settings in an Intrusion Policy Performance Statistics Configuration Step 4 You have two choices, depending on...
  • Page 626 Chapter 24 Using Performance Settings in an Intrusion Policy Constraining Regular Expressions Step 3 Click Advanced Settings in the...
  • Page 627Chapter 24 Using Performance Settings in an Intrusion Policy Constraining Regular Expressions Table 24-5 Regular Expression Constraint Options Option Description...
  • Page 628 Chapter 24 Using Performance Settings in an Intrusion Policy Rule Processing Configuration Step 6 Save your policy, continue editing,...
  • Page 629Chapter 24 Using Performance Settings in an Intrusion Policy Rule Processing Configuration Step 4 You have two choices, depending on...
  • Page 630 Chapter 24 Using Performance Settings in an Intrusion Policy Rule Processing Configuration FireSIGHT System User Guide 24-14
  • Page 631: Using Application Layer Preprocessors CH A P T E R 25 Using Application Layer Preprocessors Application-layer protocols can represent the same data in...
  • Page 632 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic • Using the SSL Preprocessor, page 25-70 explains how you...
  • Page 633 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic See the following sections for more information: • Selecting Global DCE/RPC...
  • Page 634 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic Auto-Detect Policy on SMB Session Detects the Windows or Samba...
  • Page 635 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic • enable and specify auto-detection ports. See Understanding DCE/RPC Transports, page...
  • Page 636 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic Note that you must enable at least one DCE/RPC transport...
  • Page 637 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic • The well-known TCP or UDP port 135 identifies DCE/RPC traffic...
  • Page 638 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic The Microsoft IIS proxy server and the DCE/RPC server can...
  • Page 639Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic SMB Invalid Shares A case-insensitive, alphanumeric text string that identifies one...
  • Page 640 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic RPC over HTTP Server Ports Enables detection of DCE/RPC traffic...
  • Page 641 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic SMB File Inspection Enables inspection of SMB traffic for file detection....
  • Page 642 Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic Table 25-1 Traffic-Associated DCE/RPC Rules Traffic Preprocessor Rule GID:SID SMB...
  • Page 643Chapter 25 Using Application Layer Preprocessors Decoding DCE/RPC Traffic Step 7 You can modify any of the following target-based policy...
  • Page 644 Chapter 25 Using Application Layer Preprocessors Detecting Exploits in DNS Name Server Responses • To test whether specified ports...
  • Page 645 Chapter 25 Using Application Layer Preprocessors Detecting Exploits in DNS Name Server Responses A DNS response is comprised of a...
  • Page 646 Chapter 25 Using Application Layer Preprocessors Detecting Exploits in DNS Name Server Responses When the resource record type is...
  • Page 647 Chapter 25 Using Application Layer Preprocessors Detecting Exploits in DNS Name Server Responses Table 25-4 Experimental DNS Resource Record Types...
  • Page 648 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic • Select the Detect Obsolete DNS RR Types...
  • Page 649 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic If no preprocessor rule is mentioned, the option is...
  • Page 650 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic Tip For more information on configuring the other...
  • Page 651 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic Normalize Normalizes telnet traffic to the specified ports. Detect...
  • Page 652 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic A message at the bottom of the page...
  • Page 653Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic You can specify a single IP address or address...
  • Page 654 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic Command Validity Use this option to enter a...
  • Page 655 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic Table 25-5 FTP Command Parameters (continued) If you use......
  • Page 656 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic The FTP and Telnet Configuration page appears. A...
  • Page 657 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic Note Additional commands you may want to add include...
  • Page 658 Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic You can create profiles for FTP clients. Within...
  • Page 659Chapter 25 Using Application Layer Preprocessors Decoding FTP and Telnet Traffic You can configure client profiles for FTP clients to...
  • Page 660 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic Note that you cannot modify the setting for Network in...
  • Page 661 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic • separating messages received from web servers into status code, status...
  • Page 662 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic • If the values for the Maximum Compressed Data Depth...
  • Page 663 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic If you have unsaved changes in another policy, click OK to...
  • Page 664 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic Ports The ports whose HTTP traffic the preprocessor engine normalizes....
  • Page 665Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic When Inspect HTTP Responses is enabled, inspects only the raw HTTP...
  • Page 666 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic Specify a value from -1 to 65495. Specify -1 to...
  • Page 667Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic Normalize Cookies in HTTP headers Enables normalization of cookies in HTTP...
  • Page 668 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic Normalize Javascript When Inspect HTTP Responses is enabled, enables detection...
  • Page 669 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic information. See Understanding Intrusion Events, page 18-7 and Viewing Event Information,...
  • Page 670 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic UTF-8 Encoding Decodes standard UTF-8 Unicode sequences in the URI....
  • Page 671Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic IIS Backslash Obfuscation Normalizes backslashes to forward slashes. You can enable...
  • Page 672 Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic Max Chunk Encoding Size Detects abnormally large chunk sizes in...
  • Page 673Chapter 25 Using Application Layer Preprocessors Decoding HTTP Traffic The HTTP Configuration page appears. A message at the bottom of...
  • Page 674 Chapter 25 Using Application Layer Preprocessors Using the Sun RPC Preprocessor Step 13 Save your policy, continue editing, discard...
  • Page 675 Chapter 25 Using Application Layer Preprocessors Using the Sun RPC Preprocessor Note Any port you add to the RPC Ports...
  • Page 676 Chapter 25 Using Application Layer Preprocessors Decoding the Session Initiation Protocol The Advanced Settings page appears. Step 4 You...
  • Page 677 Chapter 25 Using Application Layer Preprocessors Decoding the Session Initiation Protocol • optionally ignoring the call channel The preprocessor identifies...
  • Page 678 Chapter 25 Using Application Layer Preprocessors Decoding the Session Initiation Protocol Methods are case-insensitive. The method name can include...
  • Page 679 Chapter 25 Using Application Layer Preprocessors Decoding the Session Initiation Protocol Maximum Contact Length Specifies the maximum number of bytes...
  • Page 680 Chapter 25 Using Application Layer Preprocessors Decoding the Session Initiation Protocol Step 7 Save your policy, continue editing, discard...
  • Page 681Chapter 25 Using Application Layer Preprocessors Configuring the GTP Command Channel Table 25-8 Additional SIP Preprocessor Rules (continued) Preprocessor Rule...
  • Page 682 Chapter 25 Using Application Layer Preprocessors Decoding IMAP Traffic Step 1 Select Policies > Intrusion > Intrusion Policy. The...
  • Page 683 Chapter 25 Using Application Layer Preprocessors Decoding IMAP Traffic • If you want IMAP preprocessor rules to generate events, you...
  • Page 684 Chapter 25 Using Application Layer Preprocessors Decoding IMAP Traffic Quoted-Printable Decoding Depth Specifies the maximum number of bytes to...
  • Page 685 Chapter 25 Using Application Layer Preprocessors Decoding IMAP Traffic Note Any port you add to the IMAP port list should...
  • Page 686 Chapter 25 Using Application Layer Preprocessors Decoding POP Traffic Decoding POP Traffic License: Protection The Post Office Protocol (POP)...
  • Page 687 Chapter 25 Using Application Layer Preprocessors Decoding POP Traffic Note Any port you add to the POP port list should...
  • Page 688 Chapter 25 Using Application Layer Preprocessors Decoding POP Traffic The Intrusion Policy page appears. Step 2 Click the edit...
  • Page 689 Chapter 25 Using Application Layer Preprocessors Decoding SMTP Traffic The POP preprocessor rules in the following table are not associated...
  • Page 690 Chapter 25 Using Application Layer Preprocessors Decoding SMTP Traffic Note also that when the values for the Base64 Decoding...
  • Page 691Chapter 25 Using Application Layer Preprocessors Decoding SMTP Traffic Max Command Line Len Detects when an SMTP command line is...
  • Page 692 Chapter 25 Using Application Layer Preprocessors Decoding SMTP Traffic You can enable rule 124:4 to generate events for this...
  • Page 693Chapter 25 Using Application Layer Preprocessors Decoding SMTP Traffic When quoted-printable decoding is enabled, you can enable rule 124:11 to...
  • Page 694 Chapter 25 Using Application Layer Preprocessors Decoding SMTP Traffic Configuring SMTP Decoding License: Protection You can use the SMTP...
  • Page 695Chapter 25 Using Application Layer Preprocessors Decoding SMTP Traffic Note RCPT TO and MAIL FROM are SMTP commands. The preprocessor...
  • Page 696 Chapter 25 Using Application Layer Preprocessors Detecting Exploits Using the SSH Preprocessor • To enable extraction of recipient email...
  • Page 697 Chapter 25 Using Application Layer Preprocessors Detecting Exploits Using the SSH Preprocessor Challenge-Response Buffer Overflow exploits apply only to SSH...
  • Page 698 Chapter 25 Using Application Layer Preprocessors Detecting Exploits Using the SSH Preprocessor • Maximum Length of Protocol Version String:...
  • Page 699 Chapter 25 Using Application Layer Preprocessors Detecting Exploits Using the SSH Preprocessor Maximum Length of Protocol Version String Specifies the...
  • Page 700 Chapter 25 Using Application Layer Preprocessors Using the SSL Preprocessor This section explains how to configure the SSH preprocessor....
  • Page 701 Chapter 25 Using Application Layer Preprocessors Using the SSL Preprocessor • The SSL preprocessor requires TCP stream preprocessing. If TCP...
  • Page 702 Chapter 25 Using Application Layer Preprocessors Using the SSL Preprocessor • the system observes all packets in a session,...
  • Page 703Chapter 25 Using Application Layer Preprocessors Using the SSL Preprocessor To base identification of encrypted traffic only on server traffic,...
  • Page 704 Chapter 25 Using Application Layer Preprocessors Working with SCADA Preprocessors Step 9 Save your policy, continue editing, discard your...
  • Page 705 Chapter 25 Using Application Layer Preprocessors Working with SCADA Preprocessors • If your network does not contain any Modbus-enabled devices,...
  • Page 706 Chapter 25 Using Application Layer Preprocessors Working with SCADA Preprocessors The Distributed Network Protocol (DNP3) is a SCADA protocol...
  • Page 707Chapter 25 Using Application Layer Preprocessors Working with SCADA Preprocessors Log bad CRCs When enabled, validates the checksums contained in...
  • Page 708 Chapter 25 Using Application Layer Preprocessors Working with SCADA Preprocessors FireSIGHT System User Guide 25-78
  • Page 709: Using Transport & Network Layer Preprocessors CH A P T E R 26 Using Transport & Network Layer Preprocessors Cisco provides preprocessors that detect exploits...
  • Page 710 Chapter 26 Using Transport & Network Layer Preprocessors Ignoring VLAN Headers The Intrusion Policy page appears. Step 2 Click...
  • Page 711Chapter 26 Using Transport & Network Layer Preprocessors Ignoring VLAN Headers When you enable the Ignore VLAN Header detection setting,...
  • Page 712 Chapter 26 Using Transport & Network Layer Preprocessors Normalizing Inline Traffic Normalizing Inline Traffic License: Protection The inline normalization...
  • Page 713 Chapter 26 Using Transport & Network Layer Preprocessors Normalizing Inline Traffic IPv4 Normalization License: Protection When you enable Normalize IPv4,...
  • Page 714 Chapter 26 Using Transport & Network Layer Preprocessors Normalizing Inline Traffic • clears the 3-bit Reserved field in the...
  • Page 715 Chapter 26 Using Transport & Network Layer Preprocessors Normalizing Inline Traffic • enabling the Normalize TCP Excess Payload option removes...
  • Page 716 Chapter 26 Using Transport & Network Layer Preprocessors Normalizing Inline Traffic – the IPv6 Hop Limit field when Normalize...
  • Page 717Chapter 26 Using Transport & Network Layer Preprocessors Normalizing Inline Traffic Normalize Urgent Pointer Sets the two-byte Urgent Pointer header...
  • Page 718 Chapter 26 Using Transport & Network Layer Preprocessors Normalizing Inline Traffic You can also specify any, which allows all...
  • Page 719 Chapter 26 Using Transport & Network Layer Preprocessors Defragmenting IP Packets Step 6 Save your policy, continue editing, discard your...
  • Page 720 Chapter 26 Using Transport & Network Layer Preprocessors Defragmenting IP Packets the packets incorrectly, thus allowing an exploit to...
  • Page 721 Chapter 26 Using Transport & Network Layer Preprocessors Defragmenting IP Packets Selecting Defragmentation Options License: Protection You can choose to...
  • Page 722 Chapter 26 Using Transport & Network Layer Preprocessors Defragmenting IP Packets You can enable the following rules to generate...
  • Page 723Chapter 26 Using Transport & Network Layer Preprocessors Understanding Packet Decoding The IP Defragmentation page appears. A message at the...
  • Page 724 Chapter 26 Using Transport & Network Layer Preprocessors Understanding Packet Decoding Decode GTP Data Channel Decodes the encapsulated GTP...
  • Page 725Chapter 26 Using Transport & Network Layer Preprocessors Understanding Packet Decoding TCP Option Description 14 Alternate Checksum Request 15 Alternate...
  • Page 726 Chapter 26 Using Transport & Network Layer Preprocessors Understanding Packet Decoding Detect Other TCP Options Detects TCP headers with...
  • Page 727Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Step 4 You have two choices, depending on...
  • Page 728 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing • portscan detection when the TCP protocol...
  • Page 729 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Initiating Active Responses with Drop Rules License: Protection...
  • Page 730 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Packet Type Performance Boost Enables ignoring TCP...
  • Page 731 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Tip The First operating system policy could offer...
  • Page 732 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Note that the default setting in the...
  • Page 733Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Stateful Inspection Anomalies Detects anomalous behavior in the...
  • Page 734 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Require TCP 3-Way Handshake Specifies that sessions...
  • Page 735 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing however, that reassembling additional traffic types (client, server,...
  • Page 736 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing • For client services, specify smtp •...
  • Page 737 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Perform Stream Reassembly on Both Services Enables stream...
  • Page 738 Chapter 26 Using Transport & Network Layer Preprocessors Using TCP Stream Preprocessing Step 5 Optionally, modify any of the...
  • Page 739 Chapter 26 Using Transport & Network Layer Preprocessors Using UDP Stream Preprocessing Step 13 Save your policy, continue editing, discard...
  • Page 740 Chapter 26 Using Transport & Network Layer Preprocessors Using UDP Stream Preprocessing The Intrusion Policy page appears. Step 2...
  • Page 741: Using the FireSIGHT System as a Compliance Tool CH A P T E R 27 Using the FireSIGHT System as a Compliance Tool A compliance white list...
  • Page 742 Chapter 27 Using the FireSIGHT System as a Compliance Tool Understanding Compliance White Lists Because the system creates a...
  • Page 743 Chapter 27 Using the FireSIGHT System as a Compliance Tool Understanding Compliance White Lists After you create a white list...
  • Page 744 Chapter 27 Using the FireSIGHT System as a Compliance Tool Understanding Compliance White Lists Understanding White List Host Profiles...
  • Page 745 Chapter 27 Using the FireSIGHT System as a Compliance Tool Understanding Compliance White Lists After you create a host profile...
  • Page 746 Chapter 27 Using the FireSIGHT System as a Compliance Tool Understanding Compliance White Lists Every host on the network...
  • Page 747Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists • the system detects a new...
  • Page 748 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists When you create a white...
  • Page 749 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists Step 9 Click Save White List...
  • Page 750 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists Make sure to specify a...
  • Page 751Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists host that is eligible to be...
  • Page 752 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists Step 6 To add additional...
  • Page 753 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists To delete a white list target:...
  • Page 754 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists Step 1 On the Create...
  • Page 755 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists • To allow specific web applications,...
  • Page 756 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists Step 3 From the Type...
  • Page 757 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists The client is added. Note that...
  • Page 758 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists You can configure a compliance...
  • Page 759 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists Shared host profiles are also tied...
  • Page 760 Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists • If you are modifying...
  • Page 761Chapter 27 Using the FireSIGHT System as a Compliance Tool Creating Compliance White Lists Step 1 Follow the directions in...
  • Page 762 Chapter 27 Using the FireSIGHT System as a Compliance Tool Managing Compliance White Lists Step 1 Next to the...
  • Page 763 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with Shared Host Profiles Modifying a Compliance White List...
  • Page 764 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with Shared Host Profiles Shared host profiles specify...
  • Page 765 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with Shared Host Profiles The system creates one or...
  • Page 766 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with Shared Host Profiles The following table describes...
  • Page 767 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with Shared Host Profiles To modify a shared host...
  • Page 768 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Events Step 5 Click Save...
  • Page 769 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Events When the system generates...
  • Page 770 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Events Table 27-3 Compliance White...
  • Page 771 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Events When a compliance white list...
  • Page 772 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Events You can search for...
  • Page 773 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Violations • Many fields accept one...
  • Page 774 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Violations white list, there is...
  • Page 775 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Violations The first page of the...
  • Page 776 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Violations Searching for White List...
  • Page 777Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Violations • Specify n/a in any...
  • Page 778 Chapter 27 Using the FireSIGHT System as a Compliance Tool Working with White List Violations FireSIGHT System User Guide...
  • Page 779: Detecting Specific Threats CH A P T E R 28 Detecting Specific Threats You can use some of the advanced configuration options...
  • Page 780 Chapter 28 Detecting Specific Threats Detecting Portscans To view the Back Orifice Detection page: Access: Admin/Intrusion Admin Step 1...
  • Page 781Chapter 28 Detecting Specific Threats Detecting Portscans By itself, a portscan is not evidence of an attack. In fact, some...
  • Page 782 Chapter 28 Detecting Specific Threats Detecting Portscans Table 28-3 Portscan Types Type Description Portscan Detection A one-to-one portscan in...
  • Page 783 Chapter 28 Detecting Specific Threats Detecting Portscans Table 28-4 Sensitivity Levels Level Description Low Detects only negative responses from targeted...
  • Page 784 Chapter 28 Detecting Specific Threats Detecting Portscans The Advanced Settings page appears. Step 4 You have two choices, depending...
  • Page 785 Chapter 28 Detecting Specific Threats Detecting Portscans Step 11 Optionally, clear the Detect Ack Scans check box to discontinue monitoring...
  • Page 786 Chapter 28 Detecting Specific Threats Detecting Portscans Table 28-5 Portscan Detection SIDs (GID:122) (continued) Portscan Type Protocol: Sensitivity Level...
  • Page 787 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks Table 28-6 Portscan Packet View (continued) Information Description Priority Count The number...
  • Page 788 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks You can configure your intrusion policy to include rate-based filters that...
  • Page 789 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks Note Rate-based actions cannot enable disabled rules or drop traffic that matches...
  • Page 790 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks For example, you could configure a setting to allow a maximum...
  • Page 791 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks As shown in the diagram, the first five packets matching the rule...
  • Page 792 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks You can use thresholding and suppression to reduce excessive events by...
  • Page 793 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks Policy-Wide Rate-Based Detection and Thresholding or Suppression License: Protection You can use...
  • Page 794 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks Note that although it is not shown in this example, if...
  • Page 795 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks Configuring Rate-Based Attack Prevention License: Protection You can configure rate-based attack prevention...
  • Page 796 Chapter 28 Detecting Specific Threats Preventing Rate-Based Attacks The Policy Information page appears. Step 3 Click Advanced Settings in...
  • Page 797Chapter 28 Detecting Specific Threats Detecting Sensitive Data Detecting Sensitive Data License: Protection Sensitive data such as Social Security numbers,...
  • Page 798 Chapter 28 Detecting Specific Threats Detecting Sensitive Data Deploying Sensitive Data Detection License: Protection Because sensitive data detection can...
  • Page 799 Chapter 28 Detecting Specific Threats Detecting Sensitive Data Table 28-7 Global Sensitive Data Detection Options (continued) Option Description Networks Specifies...
  • Page 800 Chapter 28 Detecting Specific Threats Detecting Sensitive Data Table 28-8 Individual Data Type Options Option Description Data Type Displays...
  • Page 801 Chapter 28 Detecting Specific Threats Detecting Sensitive Data edit them under the sensitive-data rule category. The following table describes each...
  • Page 802 Chapter 28 Detecting Specific Threats Detecting Sensitive Data Table 28-10 Sensitive Data Configuration Actions (continued) To... You can... add...
  • Page 803 Chapter 28 Detecting Specific Threats Detecting Sensitive Data The Advanced Settings page appears. Step 4 You have two choices, depending...
  • Page 804 Chapter 28 Detecting Specific Threats Detecting Sensitive Data Step 3 Click Advanced Settings in the navigation panel on the...
  • Page 805 Chapter 28 Detecting Specific Threats Detecting Sensitive Data In the special case of detecting sensitive data in FTP traffic, specifying...
  • Page 806 Chapter 28 Detecting Specific Threats Detecting Sensitive Data • escaped characters that allow you to use the metacharacters as...
  • Page 807 Chapter 28 Detecting Specific Threats Detecting Sensitive Data Table 28-13 Sensitive Data Pattern Character Classes (continued) Character Class Character Class...
  • Page 808 Chapter 28 Detecting Specific Threats Detecting Sensitive Data Step 1 Select Policies> Intrusion > Intrusion Policy. The Intrusion Policy...
  • Page 809Chapter 28 Detecting Specific Threats Detecting Sensitive Data You can modify the system-wide name and detection pattern for custom sensitive...
  • Page 810 Chapter 28 Detecting Specific Threats Detecting Sensitive Data FireSIGHT System User Guide 28-32
  • Page 811: Using Adaptive Profiles CH A P T E R 29 Using Adaptive Profiles Typically, the system uses the static settings you configure...
  • Page 812 Chapter 29 Using Adaptive Profiles Understanding Adaptive Profiles Using Adaptive Profiles with Preprocessors License: FireSIGHT + Protection Adaptive profiles,...
  • Page 813 Chapter 29 Using Adaptive Profiles Configuring Adaptive Profiles Like FireSIGHT recommended rules, adaptive profiles compare metadata in a rule to...
  • Page 814 Chapter 29 Using Adaptive Profiles Configuring Adaptive Profiles To configure adaptive profiles: Access: Admin/Intrusion Admin Step 1 Select Policies...
  • Page 815: Using Global Rule Thresholding CH A P T E R 30 Using Global Rule Thresholding You can use thresholds to limit the number...
  • Page 816 Chapter 30 Using Global Rule Thresholding Understanding Thresholding Understanding Thresholding Options License: Protection Thresholding allows you to limit intrusion...
  • Page 817Chapter 30 Using Global Rule Thresholding Configuring Global Thresholds Table 30-2 Thresholding Instance/Time Options Option Description Count The number of...
  • Page 818 Chapter 30 Using Global Rule Thresholding Configuring Global Thresholds The Global Rule Thresholding page appears. A message at the...
  • Page 819Chapter 30 Using Global Rule Thresholding Configuring Global Thresholds Step 2 Click the edit icon ( ) next to the...
  • Page 820 Chapter 30 Using Global Rule Thresholding Configuring Global Thresholds FireSIGHT System User Guide 30-6
  • Page 821: Configuring External Alerting for Intrusion Rules CH A P T E R 31 Configuring External Alerting for Intrusion Rules While the FireSIGHT System provides various...
  • Page 822 Chapter 31 Configuring External Alerting for Intrusion Rules Using SNMP Responses • the event data You can set a...
  • Page 823 Chapter 31 Configuring External Alerting for Intrusion Rules Using SNMP Responses Table 31-2 SNMP v3 Options (continued) Option Description Private...
  • Page 824 Chapter 31 Configuring External Alerting for Intrusion Rules Using Syslog Responses Step 6 Select either SNMP v2 or SNMP...
  • Page 825Chapter 31 Configuring External Alerting for Intrusion Rules Using Syslog Responses The following table lists the facilities you can select...
  • Page 826 Chapter 31 Configuring External Alerting for Intrusion Rules Understanding Email Alerting Configuring Syslog Responses License: Protection You can configure...
  • Page 827Chapter 31 Configuring External Alerting for Intrusion Rules Understanding Email Alerting • last email time (the time that the system...
  • Page 828 Chapter 31 Configuring External Alerting for Intrusion Rules Understanding Email Alerting Summary Output Enables or disables brief email alerting,...
  • Page 829Chapter 31 Configuring External Alerting for Intrusion Rules Understanding Email Alerting Step 8 To send brief email alerts, next to...
  • Page 830 Chapter 31 Configuring External Alerting for Intrusion Rules Understanding Email Alerting FireSIGHT System User Guide 31-10
  • Page 831: Understanding and Writing Intrusion Rules CH A P T E R 32 Understanding and Writing Intrusion Rules An intrusion rule is a specified set...
  • Page 832 Chapter 32 Understanding and Writing Intrusion Rules Understanding Rule Anatomy Understanding Rule Anatomy License: Protection All standard text rules...
  • Page 833Chapter 32 Understanding and Writing Intrusion Rules Understanding Rule Headers The following table describes each part of the rule header...
  • Page 834 Chapter 32 Understanding and Writing Intrusion Rules Understanding Rule Headers Specifying Rule Actions License: Protection Each rule header includes...
  • Page 835 Chapter 32 Understanding and Writing Intrusion Rules Understanding Rule Headers Specifying IP Addresses In Intrusion Rules License: Protection Restricting packet...
  • Page 836 Chapter 32 Understanding and Writing Intrusion Rules Understanding Rule Headers Table 32-2 Source/Destination IP Address Syntax (continued) To Specify......
  • Page 837 Chapter 32 Understanding and Writing Intrusion Rules Understanding Rule Headers Note You must surround negated lists with brackets. See Excluding...
  • Page 838 Chapter 32 Understanding and Writing Intrusion Rules Understanding Rule Headers Note You must use brackets to negate a list...
  • Page 839 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-3 Source/Destination Port Syntax (continued) To...
  • Page 840 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • Searching for Content Matches, page...
  • Page 841 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • Pointing to a Specific Payload Type,...
  • Page 842 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Defining the Intrusion Event Classification License:...
  • Page 843 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-5 Rule Classifications (continued) Number Classification...
  • Page 844 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Defining the Event Reference License: Protection...
  • Page 845 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules You can specify multiple content matches in...
  • Page 846 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Case Insensitive License: Protection You can...
  • Page 847 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Caution Do not create a rule that...
  • Page 848 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The default offset is 0, meaning...
  • Page 849 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Step 2 Continue with creating or editing...
  • Page 850 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • You cannot use the Raw...
  • Page 851Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules HTTP Method Select this option to search...
  • Page 852 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules – The Cookie: and Set-Cookie: header...
  • Page 853Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Almost all HTTP client requests contain the...
  • Page 854 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules You would not use this option...
  • Page 855 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Step 2 Optionally, select Fast Pattern Matcher...
  • Page 856 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Note Make sure that you set...
  • Page 857Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The byte_jump keyword calculates the number of...
  • Page 858 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-9 Endianness Arguments Argument Description...
  • Page 859 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules the rules engine calculates the number described...
  • Page 860 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-12 Additional Optional byte_test Arguments...
  • Page 861 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules the rules engine calculates the number described...
  • Page 862 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Tip Optionally, you can surround your...
  • Page 863 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-16 PCRE Metacharacters (continued) Metacharacter...
  • Page 864 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules You can use modifying options after...
  • Page 865 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules . Table 32-20 Snort-Specific Post Regular...
  • Page 866 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-20 Snort-Specific Post Regular Expression...
  • Page 867 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • EZBoard.cgi • ezman.cgi • ezadmin.cgi •...
  • Page 868 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules You can use the metadata keyword...
  • Page 869Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules To match a rule with an identified...
  • Page 870 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-21 service Values (continued) Value...
  • Page 871 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • author s to display all rules...
  • Page 872 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Inspecting Fragments and Reserved Bits License:...
  • Page 873 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-24 IPoption Arguments Argument Description rr...
  • Page 874 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules A packet’s time-to-live (ttl) value indicates...
  • Page 875 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules icmp_seq The icmp_seq keyword inspects an ICMP...
  • Page 876 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Inspecting TCP Header Values and Stream...
  • Page 877 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-25 flag Arguments (continued) Argument TCP...
  • Page 878 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules To specify flow, select the flow...
  • Page 879 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The seq keyword allows you to specify...
  • Page 880 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-31 stream_size Keyword Argument Operators...
  • Page 881 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Extracting SSL Information from a Session License:...
  • Page 882 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-33 ssl_state Arguments Argument Purpose...
  • Page 883 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Inspecting Application Layer Protocol Values License: Protection...
  • Page 884 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The following table describes the arguments...
  • Page 885 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Note the following when using the urilen...
  • Page 886 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-37 DCE/RPC Keywords Use this...
  • Page 887 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules dce_iface License: Protection You can use the...
  • Page 888 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-38 dce_iface Arguments Argument Description...
  • Page 889 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Note that the DCE/RPC preprocessor must be...
  • Page 890 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The following example rule fragment points...
  • Page 891 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules A three-digit status code in each SIP...
  • Page 892 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules To specify the GTP version: Access:...
  • Page 893 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-40 GTP Message Types (continued) Value...
  • Page 894 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-40 GTP Message Types (continued)...
  • Page 895 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-40 GTP Message Types (continued) Value...
  • Page 896 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-40 GTP Message Types (continued)...
  • Page 897 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The following table lists the values...
  • Page 898 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-41 GTP Information Elements (continued)...
  • Page 899 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-41 GTP Information Elements (continued) Value...
  • Page 900 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-41 GTP Information Elements (continued)...
  • Page 901 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-41 GTP Information Elements (continued) Value...
  • Page 902 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • modbus_func, page 32-72 • modbus_unit,...
  • Page 903 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-42 Modbus Function Codes (continued) Value...
  • Page 904 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules dnp3_data You can use the dnp3_data...
  • Page 905 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-43 DNP3 Function Codes (continued) Value...
  • Page 906 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The following list provides the string...
  • Page 907 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Inspecting Packet Characteristics License: Protection You can...
  • Page 908 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-44 isdataat Arguments Argument Type...
  • Page 909 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The fragoffset keyword tests the offset of...
  • Page 910 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules This is useful, for example, for...
  • Page 911Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-48 Endianness byte_extract Arguments (continued) Argument...
  • Page 912 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-50 Arguments Accepting a byte_extract...
  • Page 913 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • Sending an HTML Page Before a...
  • Page 914 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules See Setting the Active Response Reset...
  • Page 915 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • To send an HTML page that...
  • Page 916 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Filtering Events License: Protection You can...
  • Page 917 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Note that you can use the detection_filter...
  • Page 918 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-55 Logging Metrics Arguments Argument...
  • Page 919 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules Table 32-56 flowbits Options (continued) Operator State...
  • Page 920 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • You can define the setx...
  • Page 921Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The next rule fragment looks for a...
  • Page 922 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules The content and pcre keywords in...
  • Page 923 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules When the first rule fragment detects a...
  • Page 924 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules You must also configure the preprocessor...
  • Page 925 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules • Encoding Location: HTTP URI • Encoding...
  • Page 926 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules To point to the beginning of...
  • Page 927 Chapter 32 Understanding and Writing Intrusion Rules Understanding Keywords and Arguments in Rules These keywords are particularly useful for decoding...
  • Page 928 Chapter 32 Understanding and Writing Intrusion Rules Constructing a Rule base64_data License: Protection The base64_data keyword provides a reference...
  • Page 929Chapter 32 Understanding and Writing Intrusion Rules Constructing a Rule In a custom standard text rule, you set the rule...
  • Page 930 Chapter 32 Understanding and Writing Intrusion Rules Constructing a Rule Step 8 In the Source Port field, enter the...
  • Page 931 Chapter 32 Understanding and Writing Intrusion Rules Constructing a Rule Note Do not modify the protocol for a shared object...
  • Page 932 Chapter 32 Understanding and Writing Intrusion Rules Constructing a Rule The Rule Editor page appears. Step 2 Locate the...
  • Page 933Chapter 32 Understanding and Writing Intrusion Rules Searching for Rules Step 1 Select Policies > Intrusion > Rule Editor. The...
  • Page 934 Chapter 32 Understanding and Writing Intrusion Rules Searching for Rules Table 32-59 Rule Search Criteria (continued) Option Description Source...
  • Page 935 Chapter 32 Understanding and Writing Intrusion Rules Filtering Rules on the Rule Editor Page Filtering Rules on the Rule Editor...
  • Page 936 Chapter 32 Understanding and Writing Intrusion Rules Filtering Rules on the Rule Editor Page Table 32-60 Rule Filter Keywords...
  • Page 937 Chapter 32 Understanding and Writing Intrusion Rules Filtering Rules on the Rule Editor Page You can enclose character strings in...
  • Page 938 Chapter 32 Understanding and Writing Intrusion Rules Filtering Rules on the Rule Editor Page Step 5 Type your filter...
  • Page 939: Blocking Malware and Prohibited Files CH A P T E R 33 Blocking Malware and Prohibited Files Malicious software, or malware, can enter your...
  • Page 940 Chapter 33 Blocking Malware and Prohibited Files Understanding Malware Protection and File Control Table 33-1 License Requirements for File...
  • Page 941Chapter 33 Blocking Malware and Prohibited Files Understanding Malware Protection and File Control The system can detect and optionally block...
  • Page 942 Chapter 33 Blocking Malware and Prohibited Files Understanding Malware Protection and File Control Understanding File Dispositions The system determines...
  • Page 943 Chapter 33 Blocking Malware and Prohibited Files Understanding Malware Protection and File Control Using Captured Files, File Events, and Malware...
  • Page 944 Chapter 33 Blocking Malware and Prohibited Files Understanding Malware Protection and File Control rules, see Understanding and Creating File...
  • Page 945 Chapter 33 Blocking Malware and Prohibited Files Understanding Malware Protection and File Control When a file is positively identified as...
  • Page 946 Chapter 33 Blocking Malware and Prohibited Files Understanding Malware Protection and File Control Note that because FireAMP malware detection...
  • Page 947 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies Table 33-3 Network vs Endpoint-Based Malware Protection Strategies...
  • Page 948 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies The policy has two access control rules,...
  • Page 949Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies Keep in mind that the system can perform...
  • Page 950 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies File Rules You populate a file policy...
  • Page 951 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies File Rule Actions and Evaluation Order Each file...
  • Page 952 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies • For an access control policy using...
  • Page 953 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies Table 33-6 File Rule Evaluation Order Example App....
  • Page 954 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies • The Files field contains an icon...
  • Page 955 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies Clicking the apply icon ( ) for a...
  • Page 956 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies The File Policy Rules tab appears. Step...
  • Page 957Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies You can inspect the following types of incoming...
  • Page 958 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies Step 9 Click Save. The file rule...
  • Page 959 Chapter 33 Blocking Malware and Prohibited Files Understanding and Creating File Policies You must reapply any access control policies that...
  • Page 960 Chapter 33 Blocking Malware and Prohibited Files Working with Cloud Connections for FireAMP The comparison report appears. Depending on...
  • Page 961 Chapter 33 Blocking Malware and Prohibited Files Working with Cloud Connections for FireAMP Creating a connection between the Defense Center...
  • Page 962 Chapter 33 Blocking Malware and Prohibited Files Working with Cloud Connections for FireAMP Delete a Cisco cloud connection if...
  • Page 963: Analyzing Malware and File Activity CH A P T E R 34 Analyzing Malware and File Activity The Defense Center logs records of the...
  • Page 964 Chapter 34 Analyzing Malware and File Activity Working with File Storage Working with File Storage License: Malware Supported Devices:...
  • Page 965 Chapter 34 Analyzing Malware and File Activity Working with File Storage File storage requires a device running Version 5.3 or...
  • Page 966 Chapter 34 Analyzing Malware and File Activity Working with Dynamic Analysis Downloading Stored Files to Another Location License: Malware...
  • Page 967 Chapter 34 Analyzing Malware and File Activity Working with Dynamic Analysis Note The system checks the cloud for updates to...
  • Page 968 Chapter 34 Analyzing Malware and File Activity Working with Dynamic Analysis Submitting Files for Dynamic Analysis License: Malware Supported...
  • Page 969 Chapter 34 Analyzing Malware and File Activity Working with File Events If multiple reports exist, this summary is based on...
  • Page 970 Chapter 34 Analyzing Malware and File Activity Working with File Events The FireSIGHT System’s event viewer allows you to...
  • Page 971 Chapter 34 Analyzing Malware and File Activity Working with File Events Step 1 Select Analysis > Files > File Events....
  • Page 972 Chapter 34 Analyzing Malware and File Activity Working with File Events Table 34-2 File Event Fields (continued) Field Description...
  • Page 973 Chapter 34 Analyzing Malware and File Activity Working with File Events Table 34-2 File Event Fields (continued) Field Description Application...
  • Page 974 Chapter 34 Analyzing Malware and File Activity Working with File Events For detailed information on search syntax, including using...
  • Page 975Chapter 34 Analyzing Malware and File Activity Working with Malware Events Your search results appear in your default malware events...
  • Page 976 Chapter 34 Analyzing Malware and File Activity Working with Malware Events With a Malware license, your managed devices can...
  • Page 977 Chapter 34 Analyzing Malware and File Activity Working with Malware Events In either case, the malware event’s Message indicates how...
  • Page 978 Chapter 34 Analyzing Malware and File Activity Working with Malware Events • view events using different workflow pages within...
  • Page 979 Chapter 34 Analyzing Malware and File Activity Working with Malware Events The table view of malware events, which is the...
  • Page 980 Chapter 34 Analyzing Malware and File Activity Working with Malware Events Table 34-4 Malware Event Fields (continued) Retrospective Field...
  • Page 981 Chapter 34 Analyzing Malware and File Activity Working with Malware Events Table 34-4 Malware Event Fields (continued) Retrospective Field Description...
  • Page 982 Chapter 34 Analyzing Malware and File Activity Working with Malware Events Table 34-4 Malware Event Fields (continued) Retrospective Field...
  • Page 983 Chapter 34 Analyzing Malware and File Activity Working with Malware Events An endpoint-based malware event can have any of the...
  • Page 984 Chapter 34 Analyzing Malware and File Activity Working with Malware Events General Search Syntax The system displays examples of...
  • Page 985Chapter 34 Analyzing Malware and File Activity Working with Captured Files If you do not enter a name, one is...
  • Page 986 Chapter 34 Analyzing Malware and File Activity Working with Captured Files Viewing Captured Files License: Malware The FireSIGHT System’s...
  • Page 987 Chapter 34 Analyzing Malware and File Activity Working with Captured Files Understanding the Captured Files Table License: Malware The Defense...
  • Page 988 Chapter 34 Analyzing Malware and File Activity Working with Captured Files Searching for Captured Files License: Malware Using the...
  • Page 989 Chapter 34 Analyzing Malware and File Activity Working with Captured Files Table 34-7 Captured Files Special Search Syntax Search Criterion...
  • Page 990 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory • Click Save as New Search to...
  • Page 991 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory Supported Devices: feature dependent Supported Defense Centers: feature...
  • Page 992 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory The Query Results page appears listing all...
  • Page 993 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory Table 34-9 Network File Trajectory Summary Information Fields...
  • Page 994 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory Table 34-9 Network File Trajectory Summary Information...
  • Page 995Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory in the map and highlight a path that...
  • Page 996 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory You can view summary information from the...
  • Page 997 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory • if another IP address was involved, any...
  • Page 998 Chapter 34 Analyzing Malware and File Activity Working with Network File Trajectory FireSIGHT System User Guide 34-36
  • Page 999: Introduction to Network Discovery CH A P T E R 35 Introduction to Network Discovery The FireSIGHT System uses a feature called network...
  • Page 1000 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection To begin collecting discovery data, you must first apply...
  • Page 1001 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection more information, see Using Custom Fingerprinting, page 42-7. You can...
  • Page 1002 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection As shown in the diagram, there are three sources...
  • Page 1003 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection • the IP address involved in the login, which can...
  • Page 1004 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection The agents send records of all detected logins and...
  • Page 1005 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection The total number of detected users the Defense Center can...
  • Page 1006 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection You can view the contents of the users database...
  • Page 1007 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection If you plan to use Version 2.1 of the FireSIGHT...
  • Page 1008 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection Table 35-1 User Awareness Limitations (continued) Limitation Description logoff...
  • Page 1009 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection The system identifies applications in your network traffic either...
  • Page 1010 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection To supplement the application data gathered by the system,...
  • Page 1011 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection Table 35-3 FireSIGHT System Identification of Application Protocols Application Description...
  • Page 1012 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection Host Limits and Discovery Event Logging License: FireSIGHT When...
  • Page 1013 Chapter 35 Introduction to Network Discovery Understanding Discovery Data Collection To enable SSL application identification, you must create access control...
  • Page 1014 Chapter 35 Introduction to Network Discovery Understanding NetFlow Uses for Discovery Data License: FireSIGHT Logging discovery data allows you...
  • Page 1015 Chapter 35 Introduction to Network Discovery Understanding NetFlow NetFlow-enabled devices are widely used to capture and export data about the...
  • Page 1016 Chapter 35 Introduction to Network Discovery Understanding NetFlow Number of Connection Events Generated Per Monitored Session For connections detected...
  • Page 1017 Chapter 35 Introduction to Network Discovery Understanding NetFlow Initiator and Responder Information in Connections For connections detected directly by managed...
  • Page 1018 Chapter 35 Introduction to Network Discovery Understanding Indications of Compromise In addition, Cisco strongly recommends that you configure your...
  • Page 1019 Chapter 35 Introduction to Network Discovery Understanding Indications of Compromise Endpoint-Based FireAMP, page 33-7. • Adobe Reader Compromise — Adobe...
  • Page 1020 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Security Intelligence Event IOC Types License: FireSIGHT+Protection Supported...
  • Page 1021 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy The network discovery policy on the Defense Center controls...
  • Page 1022 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Discovery rules allow you to tailor the information...
  • Page 1023 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Before you can select a NetFlow device in a...
  • Page 1024 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy A discovery rule causes discovery of monitored assets...
  • Page 1025Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy To add a discovery rule: Access: Admin/Discovery Admin Step...
  • Page 1026 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy For information on network monitoring, see Understanding Monitored...
  • Page 1027 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Step 2 Click Add Rule. The Add Rule pop-up...
  • Page 1028 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Restricting User Logging License: FireSIGHT When you apply...
  • Page 1029 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Configuring Advanced Network Discovery Options License: FireSIGHT The Advanced...
  • Page 1030 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Update Interval The interval at which the system...
  • Page 1031 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy • To force manual conflict resolution of identity conflicts,...
  • Page 1032 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy The Edit Vulnerability Settings pop-up window appears. Step...
  • Page 1033 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy If you have enabled the NetFlow feature on your...
  • Page 1034 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy When Host Limit Reached You can control how...
  • Page 1035 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy The Event Logging Settings control whether discovery and host...
  • Page 1036 Chapter 35 Introduction to Network Discovery Creating a Network Discovery Policy Tip To delete a source that you added,...
  • Page 1037 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers A message appears, confirming that you want to...
  • Page 1038 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers authentication object, contains connection settings and authentication...
  • Page 1039 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers The FireSIGHT System supports connections to LDAP servers...
  • Page 1040 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers Server Type, IP Address, and Port You...
  • Page 1041Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers Step 2 Click Add LDAP Connection. The Create...
  • Page 1042 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers Step 15 Specify any particular User Exclusions....
  • Page 1043 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers Performing an On-Demand User Data Retrieval for Access...
  • Page 1044 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers You can use the User Agent Status...
  • Page 1045 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers Continue with the next section, Installing a User...
  • Page 1046 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers Step 1 Download the User Agent setup...
  • Page 1047 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers To configure the agent: Access: Any Step 1...
  • Page 1048 Chapter 35 Introduction to Network Discovery Obtaining User Data from LDAP Servers FireSIGHT System User Guide 35-50
  • Page 1049: Using the Network Map CH A P T E R 36 Using the Network Map The FireSIGHT System passively collects traffic traveling over...
  • Page 1050 Chapter 36 Using the Network Map Working with the Hosts Network Map The Defense Center gathers data from all...
  • Page 1051Chapter 36 Using the Network Map Working with the Network Devices Network Map You can delete entire networks, subnets, or...
  • Page 1052 Chapter 36 Using the Network Map Working with the Indications of Compromise Network Map network devices identified by a...
  • Page 1053Chapter 36 Using the Network Map Working with the Mobile Devices Network Map The system uses data from multiple sources...
  • Page 1054 Chapter 36 Using the Network Map Working with the Applications Network Map To view the mobile devices network map:...
  • Page 1055Chapter 36 Using the Network Map Working with the Vulnerabilities Network Map • If you delete a specific application, vendor,...
  • Page 1056 Chapter 36 Using the Network Map Working with the Vulnerabilities Network Map profiles for those hosts show deactivated vulnerabilities...
  • Page 1057Chapter 36 Using the Network Map Working with the Host Attributes Network Map • To deactivate the vulnerability for an...
  • Page 1058 Chapter 36 Using the Network Map Working with Custom Network Topologies To filter by IP or MAC addresses, type...
  • Page 1059 Chapter 36 Using the Network Map Working with Custom Network Topologies • Creating Custom Topologies, page 36-11 • Managing Custom...
  • Page 1060 Chapter 36 Using the Network Map Working with Custom Network Topologies Note You must activate the topology before you...
  • Page 1061 Chapter 36 Using the Network Map Working with Custom Network Topologies Importing Networks from a Network Discovery Policy License: FireSIGHT...
  • Page 1062 Chapter 36 Using the Network Map Working with Custom Network Topologies To add a network to a custom topology...
  • Page 1063Chapter 36 Using the Network Map Working with Custom Network Topologies Step 1 Select Policies > Network Discovery > Custom...
  • Page 1064 Chapter 36 Using the Network Map Working with Custom Network Topologies FireSIGHT System User Guide 36-16
  • Page 1065: Using Host Profiles CH A P T E R 37 Using Host Profiles A host profile provides a complete view of all...
  • Page 1066 Chapter 37 Using Host Profiles Note that a host profile may not be available for every host on your...
  • Page 1067Chapter 37 Using Host Profiles The following graphic shows an example of a host profile for a MAC host. For...
  • Page 1068 Chapter 37 Using Host Profiles Viewing Host Profiles • Working with VLAN Tags in the Host Profile, page 37-20...
  • Page 1069 Chapter 37 Using Host Profiles Working with Basic Host Information in the Host Profile Working with Basic Host Information in...
  • Page 1070 Chapter 37 Using Host Profiles Working with IP Addresses in the Host Profile Host Type The type of device...
  • Page 1071Chapter 37 Using Host Profiles Working with Indications of Compromise in the Host Profile The system detects IP addresses associated...
  • Page 1072 Chapter 37 Using Host Profiles Working with Indications of Compromise in the Host Profile For additional information on working...
  • Page 1073 Chapter 37 Using Host Profiles Working with Operating Systems in the Host Profile • Working with Connection & Security Intelligence...
  • Page 1074 Chapter 37 Using Host Profiles Working with Operating Systems in the Host Profile scanner or application data imported through...
  • Page 1075 Chapter 37 Using Host Profiles Working with Operating Systems in the Host Profile For example, if the system identifies a...
  • Page 1076 Chapter 37 Using Host Profiles Working with Operating Systems in the Host Profile Tip Click the delete icon (...
  • Page 1077 Chapter 37 Using Host Profiles Working with Operating Systems in the Host Profile Resolving Operating System Identity Conflicts License: FireSIGHT...
  • Page 1078 Chapter 37 Using Host Profiles Working with Servers in the Host Profile Working with Servers in the Host Profile...
  • Page 1079 Chapter 37 Using Host Profiles Working with Servers in the Host Profile Protocol The name of the protocol the server...
  • Page 1080 Chapter 37 Using Host Profiles Working with Servers in the Host Profile The server detail may also display updated...
  • Page 1081 Chapter 37 Using Host Profiles Working with Servers in the Host Profile – FireSIGHT, FireSIGHT Port Match, or FireSIGHT Pattern...
  • Page 1082 Chapter 37 Using Host Profiles Working with Applications in the Host Profile Step 7 If you want to indicate...
  • Page 1083 Chapter 37 Using Host Profiles Working with Applications in the Host Profile • Deleting Applications from the Host Profile, page...
  • Page 1084 Chapter 37 Using Host Profiles Working with VLAN Tags in the Host Profile well as the IP address(es) of...
  • Page 1085 Chapter 37 Using Host Profiles Working with User History in the Host Profile Working with User History in the Host...
  • Page 1086 Chapter 37 Using Host Profiles Working with Host Protocols in the Host Profile Step 2 Under Attributes, click the...
  • Page 1087 Chapter 37 Using Host Profiles Working with White List Violations in the Host Profile A compliance white list (or white...
  • Page 1088 Chapter 37 Using Host Profiles Working with Malware Detections in the Host Profile The Edit Shared Profiles page appears....
  • Page 1089Chapter 37 Using Host Profiles Working with Vulnerabilities in the Host Profile The Vulnerabilities sections of the host profile list...
  • Page 1090 Chapter 37 Using Host Profiles Working with Vulnerabilities in the Host Profile • download patches to mitigate the vulnerabilities...
  • Page 1091 Chapter 37 Using Host Profiles Working with Vulnerabilities in the Host Profile Vulnerability Impact The severity assigned to the vulnerability...
  • Page 1092 Chapter 37 Using Host Profiles Working with Vulnerabilities in the Host Profile Tip You can also deactivate vulnerabilities from...
  • Page 1093 Chapter 37 Using Host Profiles Working with the Predefined Host Attributes Setting Vulnerabilities for Individual Hosts License: FireSIGHT You can...
  • Page 1094 Chapter 37 Using Host Profiles Working with User-Defined Host Attributes To set pre-defined host attributes in the host profile:...
  • Page 1095 Chapter 37 Using Host Profiles Working with User-Defined Host Attributes List Allows you to create a list of string values,...
  • Page 1096 Chapter 37 Using Host Profiles Working with User-Defined Host Attributes • If you are creating an Integer host attribute,...
  • Page 1097 Chapter 37 Using Host Profiles Working with User-Defined Host Attributes For information on using CIDR notation in the FireSIGHT System,...
  • Page 1098 Chapter 37 Using Host Profiles Working with Scan Results in a Host Profile Step 2 Click Host Attribute Management....
  • Page 1099: Working with Discovery Events CH A P T E R 38 Working with Discovery Events Discovery events alert you to the activity on...
  • Page 1100 Chapter 38 Working with Discovery Events Viewing Discovery Event Statistics • Working with Discovery and Host Input Events, page...
  • Page 1101 Chapter 38 Working with Discovery Events Viewing Discovery Event Statistics Statistics Summary License: FireSIGHT The statistics summary provides general statistics...
  • Page 1102 Chapter 38 Working with Discovery Events Viewing Discovery Event Statistics Last Connection Received The date and time that the...
  • Page 1103Chapter 38 Working with Discovery Events Viewing Discovery Performance Graphs Step 1 Click the name of the application protocol you...
  • Page 1104 Chapter 38 Working with Discovery Events Understanding Discovery Event Workflows Processed Events/Sec Displays a graph that represents the number...
  • Page 1105 Chapter 38 Working with Discovery Events Understanding Discovery Event Workflows The Defense Center provides a set of workflows that you...
  • Page 1106 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events Table 38-1 Common Discovery Event Actions...
  • Page 1107 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events See the following sections for more information:...
  • Page 1108 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events DHCP: IP Address Reassigned This event...
  • Page 1109Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events For more information, see Understanding Identity Conflicts,...
  • Page 1110 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events New TCP Port This event is...
  • Page 1111 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events Understanding Host Input Event Types License: FireSIGHT...
  • Page 1112 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events Host Attribute Delete This event is...
  • Page 1113 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events The Discovery Event Actions below describes some...
  • Page 1114 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events IP Address The IP address associated...
  • Page 1115 Chapter 38 Working with Discovery Events Working with Discovery and Host Input Events For detailed information on search syntax, including...
  • Page 1116 Chapter 38 Working with Discovery Events Working with Hosts • Click Save if you are modifying an existing search...
  • Page 1117 Chapter 38 Working with Discovery Events Working with Hosts Table 38-4 Host Actions To... You can... learn more about the...
  • Page 1118 Chapter 38 Working with Discovery Events Working with Hosts IP Address The IP addresses associated with the host. MAC...
  • Page 1119Chapter 38 Working with Discovery Events Working with Hosts – the detection of the Spanning Tree Protocol (STP), which identifies...
  • Page 1120 Chapter 38 Working with Discovery Events Working with Hosts – User: user_name – Application: app_name – Scanner: scanner_type (Nmap...
  • Page 1121 Chapter 38 Working with Discovery Events Working with Hosts Step 1 On a table view in the hosts workflow, select...
  • Page 1122 Chapter 38 Working with Discovery Events Working with Hosts You can search for specific discovery events. You may want...
  • Page 1123 Chapter 38 Working with Discovery Events Working with Hosts Table 38-5 Host Search Criteria (continued) Field Search Criteria Notes Confidence...
  • Page 1124 Chapter 38 Working with Discovery Events Working with Host Attributes • Click Save as New Search to save the...
  • Page 1125 Chapter 38 Working with Discovery Events Working with Host Attributes To view host attributes: Access: Admin/Any Security Analyst Step 1...
  • Page 1126 Chapter 38 Working with Discovery Events Working with Host Attributes Notes Information about the host that you want other...
  • Page 1127 Chapter 38 Working with Discovery Events Working with Host Attributes Step 4 Optionally, add notes to the host profiles of...
  • Page 1128 Chapter 38 Working with Discovery Events Working with Indications of Compromise Tip To search the database for a different...
  • Page 1129 Chapter 38 Working with Discovery Events Working with Indications of Compromise Viewing Indications of Compromise License: FireSIGHT You can use...
  • Page 1130 Chapter 38 Working with Discovery Events Working with Indications of Compromise all IOC tags associated with a host in...
  • Page 1131Chapter 38 Working with Discovery Events Working with Servers • Click the add object icon ( ) that appears next...
  • Page 1132 Chapter 38 Working with Discovery Events Working with Servers The FireSIGHT System collects information about all servers running on...
  • Page 1133 Chapter 38 Working with Discovery Events Working with Servers The first page of the default servers workflow appears. To use...
  • Page 1134 Chapter 38 Working with Discovery Events Working with Servers For more information, see the Application Characteristics table. Vendor One...
  • Page 1135 Chapter 38 Working with Discovery Events Working with Servers Current User The user identity (username) of the currently logged in...
  • Page 1136 Chapter 38 Working with Discovery Events Working with Applications Step 1 Select Analysis > Search. The Search page appears....
  • Page 1137 Chapter 38 Working with Discovery Events Working with Applications rules on the detection of application. For example, if you want...
  • Page 1138 Chapter 38 Working with Discovery Events Working with Applications Understanding the Applications Table License: FireSIGHT When a monitored host...
  • Page 1139 Chapter 38 Working with Discovery Events Working with Applications Type The type of application: – Application Protocols represent communications between...
  • Page 1140 Chapter 38 Working with Discovery Events Working with Application Details Step 4 Enter your search criteria in the appropriate...
  • Page 1141 Chapter 38 Working with Discovery Events Working with Application Details Viewing Application Details License: FireSIGHT You can use the Defense...
  • Page 1142 Chapter 38 Working with Discovery Events Working with Application Details Last Used The time that the application was last...
  • Page 1143 Chapter 38 Working with Discovery Events Working with Application Details Current User The user identity (username) of the currently logged...
  • Page 1144 Chapter 38 Working with Discovery Events Working with Vulnerabilities Tip To search the database for a different kind of...
  • Page 1145 Chapter 38 Working with Discovery Events Working with Vulnerabilities • Searching for Vulnerabilities, page 38-50 Viewing Vulnerabilities License: FireSIGHT You...
  • Page 1146 Chapter 38 Working with Discovery Events Working with Vulnerabilities Tip If you are using a custom workflow that does...
  • Page 1147 Chapter 38 Working with Discovery Events Working with Vulnerabilities Vulnerability Impact Displays the severity assigned to the vulnerability in the...
  • Page 1148 Chapter 38 Working with Discovery Events Working with Vulnerabilities • Constrain the vulnerabilities workflow based on the IP addresses...
  • Page 1149Chapter 38 Working with Discovery Events Working with Third-Party Vulnerabilities Step 1 Select Analysis > Search. The Search page appears....
  • Page 1150 Chapter 38 Working with Discovery Events Working with Third-Party Vulnerabilities Viewing Third-Party Vulnerabilities License: FireSIGHT After you use the...
  • Page 1151 Chapter 38 Working with Discovery Events Working with Third-Party Vulnerabilities Vulnerability ID The ID number associated with the vulnerability for...
  • Page 1152 Chapter 38 Working with Discovery Events Working with Third-Party Vulnerabilities General Search Syntax The system displays examples of valid...
  • Page 1153Chapter 38 Working with Discovery Events Working with Users Your search results appear in the default third-party vulnerabilities workflow. To...
  • Page 1154 Chapter 38 Working with Discovery Events Working with Users • telephone number The number of users the Defense Center...
  • Page 1155Chapter 38 Working with Discovery Events Working with Users When the system discovers a user, it collects data about that...
  • Page 1156 Chapter 38 Working with Discovery Events Working with Users Department The user’s department, as obtained from the optional Defense...
  • Page 1157 Chapter 38 Working with Discovery Events Working with Users The data used to generate the host history is stored in...
  • Page 1158 Chapter 38 Working with Discovery Events Working with User Activity The Search page appears. Step 2 From the Table...
  • Page 1159 Chapter 38 Working with Discovery Events Working with User Activity – SMTP logins are not recorded unless there is already...
  • Page 1160 Chapter 38 Working with Discovery Events Working with User Activity You can view a table of user activity, and...
  • Page 1161 Chapter 38 Working with Discovery Events Working with User Activity IP Address For User Login activity, the IP address involved...
  • Page 1162 Chapter 38 Working with Discovery Events Working with User Activity To search for user activity: Access: Admin/Any Security Analyst...
  • Page 1163: Configuring Correlation Policies and Rules CH A P T E R 39 Configuring Correlation Policies and Rules You can use the FireSIGHT System’s correlation...
  • Page 1164 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies This chapter focuses on creating correlation rules,...
  • Page 1165Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Supported Defense Centers: feature dependent Before you create...
  • Page 1166 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-1 License Requirements for Building Correlation...
  • Page 1167 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Providing Basic Rule Information License: Any You must...
  • Page 1168 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Step 1 Select the type of event...
  • Page 1169 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Tip You can nest rules that share the...
  • Page 1170 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-2 Syntax for Intrusion Events (continued)...
  • Page 1171 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-2 Syntax for Intrusion Events (continued) If...
  • Page 1172 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-3 Syntax for Malware Events (continued)...
  • Page 1173 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-4 Correlation Rule Trigger Criteria vs. Discovery...
  • Page 1174 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-5 Syntax for Discovery Events (continued)...
  • Page 1175 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies If you base your correlation rule on a...
  • Page 1176 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies If you base your correlation rule on...
  • Page 1177 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-9 Syntax for Connection Events (continued) If...
  • Page 1178 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies To create a rule that triggers when...
  • Page 1179 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-10 Syntax for Traffic Profile Changes (continued)...
  • Page 1180 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Note that to use a host profile...
  • Page 1181 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Note that although you can configure the network...
  • Page 1182 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-11 Syntax for Host Profile Qualifications...
  • Page 1183 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Tip Connection trackers typically monitor very specific traffic...
  • Page 1184 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies • the maximum duration of the connection...
  • Page 1185 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies You should keep in mind that connections detected...
  • Page 1186 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Table 39-12 Syntax for Connection Trackers (continued)...
  • Page 1187 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Tip To specify that the connection tracker track...
  • Page 1188 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies The following diagram shows how network traffic...
  • Page 1189 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies In this example, the system detected a connection...
  • Page 1190 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies The following diagram shows how network traffic...
  • Page 1191Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies In this example, the system detected the BitTorrent...
  • Page 1192 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Step 4 At 20 seconds, the system...
  • Page 1193 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies You can create a single, simple condition, or...
  • Page 1194 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies You can configure snooze periods in correlation...
  • Page 1195 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies When you are finished adding snooze and inactive...
  • Page 1196 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Caution Evaluating complex correlation rules that trigger...
  • Page 1197Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies To build the host profile qualification in the...
  • Page 1198 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies Note Where the condition syntax allows you...
  • Page 1199Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies In contrast, the following rule, which detects SSH...
  • Page 1200 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies The result is: To add a complex...
  • Page 1201 Chapter 39 Configuring Correlation Policies and Rules Creating Rules for Correlation Policies To link conditions: Access: Admin/Discovery Admin Step 1...
  • Page 1202 Chapter 39 Configuring Correlation Policies and Rules Managing Rules for Correlation Policies The Create Rule page appears again. Your...
  • Page 1203 Chapter 39 Configuring Correlation Policies and Rules Grouping Correlation Responses Step 1 Select Policies > Correlation, then select the Rule...
  • Page 1204 Chapter 39 Configuring Correlation Policies and Rules Grouping Correlation Responses After you create alert responses and remediations, (see Working...
  • Page 1205 Chapter 39 Configuring Correlation Policies and Rules Grouping Correlation Responses Modifying a Response Group License: Any Use the following procedure...
  • Page 1206 Chapter 39 Configuring Correlation Policies and Rules Creating Correlation Policies Step 1 Select Policies > Correlation, then click Groups....
  • Page 1207 Chapter 39 Configuring Correlation Policies and Rules Creating Correlation Policies See Adding Responses to Rules and White Lists, page 39-47....
  • Page 1208 Chapter 39 Configuring Correlation Policies and Rules Creating Correlation Policies To add rules or white lists to a correlation...
  • Page 1209 Chapter 39 Configuring Correlation Policies and Rules Creating Correlation Policies Step 1 On the Create Policy page, from the Priority...
  • Page 1210 Chapter 39 Configuring Correlation Policies and Rules Managing Correlation Policies To add responses to rules and white lists: Access:...
  • Page 1211 Chapter 39 Configuring Correlation Policies and Rules Managing Correlation Policies Activating and Deactivating Correlation Policies License: Any Use the following...
  • Page 1212 Chapter 39 Configuring Correlation Policies and Rules Working with Correlation Events The Policy Management page appears. Step 2 Click...
  • Page 1213 Chapter 39 Configuring Correlation Policies and Rules Working with Correlation Events Table 39-16 Correlation Event Actions (continued) To... You can......
  • Page 1214 Chapter 39 Configuring Correlation Policies and Rules Working with Correlation Events Tip If you are using a custom workflow...
  • Page 1215 Chapter 39 Configuring Correlation Policies and Rules Working with Correlation Events Table 39-17 Correlation Event Fields (continued) Field Description Source...
  • Page 1216 Chapter 39 Configuring Correlation Policies and Rules Working with Correlation Events Table 39-18 Correlation Event Search Criteria (continued) Field...
  • Page 1217Chapter 39 Configuring Correlation Policies and Rules Working with Correlation Events Step 4 Enter your search criteria in the appropriate...
  • Page 1218 Chapter 39 Configuring Correlation Policies and Rules Working with Correlation Events FireSIGHT System User Guide 39-56
  • Page 1219: Creating Traffic Profiles CH A P T E R 40 Creating Traffic Profiles A traffic profile is just that—a profile of the...
  • Page 1220 Chapter 40 Creating Traffic Profiles After you create and activate a traffic profile and its learning period is complete,...
  • Page 1221 Chapter 40 Creating Traffic Profiles Providing Basic Profile Information For more information, see: • Providing Basic Profile Information, page 40-3...
  • Page 1222 Chapter 40 Creating Traffic Profiles Specifying Traffic Profile Conditions You build traffic profile conditions in the Profile Conditions section...
  • Page 1223 Chapter 40 Creating Traffic Profiles Adding a Host Profile Qualification Table 40-1 Syntax for Profile Conditions (continued) If you specify......
  • Page 1224 Chapter 40 Creating Traffic Profiles Adding a Host Profile Qualification Syntax for Host Profile Qualifications License: FireSIGHT When you...
  • Page 1225 Chapter 40 Creating Traffic Profiles Setting Profile Options Table 40-2 Syntax for Host Profile Qualifications (continued) If you specify... Select...
  • Page 1226 Chapter 40 Creating Traffic Profiles Saving a Traffic Profile You can also set up inactive periods in traffic profile....
  • Page 1227 Chapter 40 Creating Traffic Profiles Editing a Traffic Profile Deactivate a profile when you want it to stop collecting and...
  • Page 1228 Chapter 40 Creating Traffic Profiles Understanding Condition-Building Mechanics For example, if you want to create a traffic profile that...
  • Page 1229 Chapter 40 Creating Traffic Profiles Understanding Condition-Building Mechanics • Building a Single Condition, page 40-11 • Adding and Linking Conditions,...
  • Page 1230 Chapter 40 Creating Traffic Profiles Understanding Condition-Building Mechanics The following steps explain how to build this host profile qualification....
  • Page 1231 Chapter 40 Creating Traffic Profiles Understanding Condition-Building Mechanics For information on the syntax for building traffic profile conditions and host...
  • Page 1232 Chapter 40 Creating Traffic Profiles Understanding Condition-Building Mechanics Logically, the above traffic profile is evaluated as follows: (A and...
  • Page 1233Chapter 40 Creating Traffic Profiles Understanding Condition-Building Mechanics To add a complex condition: Access: Admin/Discovery Admin Step 1 Click Add...
  • Page 1234 Chapter 40 Creating Traffic Profiles Viewing Traffic Profiles To link conditions: Access: Admin/Discovery Admin Step 1 Use the drop-down...
  • Page 1235Chapter 40 Creating Traffic Profiles Viewing Traffic Profiles You can perform almost all the same actions on traffic profile graphs...
  • Page 1236 Chapter 40 Creating Traffic Profiles Viewing Traffic Profiles FireSIGHT System User Guide 40-18
  • Page 1237: Configuring Remediations CH A P T E R 41 Configuring Remediations When a correlation policy violation occurs, you can configure the...
  • Page 1238 Chapter 41 Configuring Remediations Creating Remediations • The Cisco IOS Null Route module, which, if you are running Cisco...
  • Page 1239 Chapter 41 Configuring Remediations Creating Remediations Step 1 Select Policies > Actions > Modules. The Modules page appears. Step 2...
  • Page 1240 Chapter 41 Configuring Remediations Creating Remediations • Cisco IOS Block Destination Network Remediations, page 41-5 • Cisco IOS Block...
  • Page 1241 Chapter 41 Configuring Remediations Creating Remediations • Cisco IOS Block Destination Network Remediations, page 41-5 • Cisco IOS Block Source...
  • Page 1242 Chapter 41 Configuring Remediations Creating Remediations Note Do not use this remediation as a response to a correlation rule...
  • Page 1243 Chapter 41 Configuring Remediations Creating Remediations Step 1 Select Policies > Actions > Instances. The Instances page appears. Step 2...
  • Page 1244 Chapter 41 Configuring Remediations Creating Remediations For example, to block traffic to an entire Class C network when a...
  • Page 1245 Chapter 41 Configuring Remediations Creating Remediations Step 4 Begin assigning Cisco PIX remediations to specific correlation policy rules. Adding a...
  • Page 1246 Chapter 41 Configuring Remediations Creating Remediations • Cisco PIX Block Destination Remediations, page 41-10 • Cisco PIX Block Source...
  • Page 1247 Chapter 41 Configuring Remediations Creating Remediations To add the remediation: Access: Admin/Discovery Admin Step 1 Select Policies > Actions >...
  • Page 1248 Chapter 41 Configuring Remediations Creating Remediations To create a scan instance: Access: Admin/Discovery Admin Step 1 Select Policies >...
  • Page 1249Chapter 41 Configuring Remediations Creating Remediations To create a Nmap remediation: Access: Admin/Discovery Admin Step 1 Select Policies > Actions...
  • Page 1250 Chapter 41 Configuring Remediations Creating Remediations If you scan the port in the correlation event, note that the remediation...
  • Page 1251 Chapter 41 Configuring Remediations Creating Remediations Note that this option scans port 80 by default and that TCP SYN scans...
  • Page 1252 Chapter 41 Configuring Remediations Creating Remediations Step 1 Select Policies > Actions > Instances. The Instances page appears. Step...
  • Page 1253 Chapter 41 Configuring Remediations Working with Remediation Status Events If you plan to use this remediation in response to...
  • Page 1254 Chapter 41 Configuring Remediations Working with Remediation Status Events Table 41-1 Options for Viewing Remediation Status Events (continued) To......
  • Page 1255 Chapter 41 Configuring Remediations Working with Remediation Status Events Tip If you are using a custom workflow that does not...
  • Page 1256 Chapter 41 Configuring Remediations Working with Remediation Status Events Table 41-2 Remediation Status Fields (continued) Field Description Result Message...
  • Page 1257 Chapter 41 Configuring Remediations Working with Remediation Status Events Table 41-3 Remediation Status Search Criteria Search Field Description Result...
  • Page 1258 Chapter 41 Configuring Remediations Working with Remediation Status Events Step 4 If you want to save the search so...
  • Page 1259: Enhancing Network Discovery CH A P T E R 42 Enhancing Network Discovery The information about your network traffic collected by the...
  • Page 1260 Chapter 42 Enhancing Network Discovery Assessing Your Detection Strategy Assessing Your Detection Strategy License: FireSIGHT Before you make any...
  • Page 1261 Chapter 42 Enhancing Network Discovery Assessing Your Detection Strategy identify it as Linux 2.4 instead of Mac OS X. If...
  • Page 1262 Chapter 42 Enhancing Network Discovery Enhancing Your Network Map Enhancing Your Network Map License: FireSIGHT The FireSIGHT System builds...
  • Page 1263 Chapter 42 Enhancing Network Discovery Enhancing Your Network Map • You can modify a host’s operating system or application identity...
  • Page 1264 Chapter 42 Enhancing Network Discovery Enhancing Your Network Map For example, if a user sets the operating system to...
  • Page 1265Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting A user with Administrator privileges can resolve identity conflicts automatically by choosing...
  • Page 1266 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting want to create a custom fingerprint for one of the hosts...
  • Page 1267Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting • The actual operating system vendor, product, and version of the host....
  • Page 1268 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting • In the Vendor String field, type the operating system’s vendor...
  • Page 1269 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting Note To create an accurate fingerprint, traffic must be seen by the...
  • Page 1270 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting Caution You can capture IPv6 fingerprints only with appliances running Version...
  • Page 1271 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting • In the Vendor String field, type the operating system’s vendor name....
  • Page 1272 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting You can activate, deactivate, delete, view, and edit custom fingerprints. When...
  • Page 1273 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting Deactivating Fingerprints License: FireSIGHT If you want to stop using a fingerprint,...
  • Page 1274 Chapter 42 Enhancing Network Discovery Using Custom Fingerprinting If a fingerprint is inactive, you can modify all elements of...
  • Page 1275Chapter 42 Enhancing Network Discovery Working with Application Detectors To edit active fingerprints: Access: Admin/Discovery Admin Step 1 Select Policies...
  • Page 1276 Chapter 42 Enhancing Network Discovery Working with Application Detectors Internal detectors are always on; you cannot deactivate, delete, or...
  • Page 1277 Chapter 42 Enhancing Network Discovery Working with Application Detectors You have full control over imported and user-defined detectors; you can...
  • Page 1278 Chapter 42 Enhancing Network Discovery Working with Application Detectors The Detectors page appears. Step 2 Click Create Detector. The...
  • Page 1279 Chapter 42 Enhancing Network Discovery Working with Application Detectors Detector names must be unique within the protocol for the traffic...
  • Page 1280 Chapter 42 Enhancing Network Discovery Working with Application Detectors When creating a user-defined application protocol detector, you must specify...
  • Page 1281 Chapter 42 Enhancing Network Discovery Working with Application Detectors Step 3 Type a string of the type you specified in...
  • Page 1282 Chapter 42 Enhancing Network Discovery Working with Application Detectors Step 5 To save the detector, click Save. Note You...
  • Page 1283 Chapter 42 Enhancing Network Discovery Working with Application Detectors The information pop-up window for the detector appears. For more information...
  • Page 1284 Chapter 42 Enhancing Network Discovery Working with Application Detectors Type Finds detectors according to the detector type: Application Protocol,...
  • Page 1285 Chapter 42 Enhancing Network Discovery Working with Application Detectors To remove all filters: Access: Admin/Discovery Admin Step 1 Click Clear...
  • Page 1286 Chapter 42 Enhancing Network Discovery Working with Application Detectors Step 1 Select Policies > Application Detectors. The Detectors page...
  • Page 1287 Chapter 42 Enhancing Network Discovery Importing Host Input Data Note The system only uses applications with active detectors to analyze...
  • Page 1288 Chapter 42 Enhancing Network Discovery Importing Host Input Data • Managing Third-Party Product Mappings, page 42-30 • Mapping Third-Party...
  • Page 1289 Chapter 42 Enhancing Network Discovery Importing Host Input Data • Mapping Third-Party Products, page 42-31 • Mapping Third-Party Product Fixes,...
  • Page 1290 Chapter 42 Enhancing Network Discovery Importing Host Input Data Step 7 Type the product string used by the third-party...
  • Page 1291 Chapter 42 Enhancing Network Discovery Importing Host Input Data Step 7 In the Product Mappings section, select the operating system,...
  • Page 1292 Chapter 42 Enhancing Network Discovery Importing Host Input Data Step 3 Click Add Vulnerability Map. The Add Vulnerability Map...
  • Page 1293 Chapter 42 Enhancing Network Discovery Importing Host Input Data After you create a custom product mapping, you must activate the...
  • Page 1294 Chapter 42 Enhancing Network Discovery Importing Host Input Data The Custom Product Mappings page appears. Step 2 Click the...
  • Page 1295: Configuring Active Scanning CH A P T E R 43 Configuring Active Scanning The FireSIGHT System builds a network map through passive...
  • Page 1296 Chapter 43 Configuring Active Scanning Understanding Nmap Scans Nmap compares the results of the scan to over 1500 known...
  • Page 1297 Chapter 43 Configuring Active Scanning Understanding Nmap Scans Table 43-1 Nmap Remediation Options Corresponding Nmap Option Description Option Scan Which...
  • Page 1298 Chapter 43 Configuring Active Scanning Understanding Nmap Scans Table 43-1 Nmap Remediation Options (continued) Corresponding Nmap Option Description Option...
  • Page 1299 Chapter 43 Configuring Active Scanning Understanding Nmap Scans Table 43-1 Nmap Remediation Options (continued) Corresponding Nmap Option Description Option Default...
  • Page 1300 Chapter 43 Configuring Active Scanning Understanding Nmap Scans • an IP address range using octet range addressing (for example,...
  • Page 1301 Chapter 43 Configuring Active Scanning Understanding Nmap Scans The following scenarios provide examples of how Nmap might be used on...
  • Page 1302 Chapter 43 Configuring Active Scanning Understanding Nmap Scans Step 8 After a day or two, search for events generated...
  • Page 1303 Chapter 43 Configuring Active Scanning Setting up Nmap Scans For more information on creating correlation policies, see Creating Correlation Policies,...
  • Page 1304 Chapter 43 Configuring Active Scanning Setting up Nmap Scans • For IPv6 hosts, an exact IP address (for example,...
  • Page 1305 Chapter 43 Configuring Active Scanning Setting up Nmap Scans • for IPv4 hosts, an IP address block using CIDR notation...
  • Page 1306 Chapter 43 Configuring Active Scanning Setting up Nmap Scans To create an Nmap remediation: Access: Admin/Discovery Admin Step 1...
  • Page 1307Chapter 43 Configuring Active Scanning Setting up Nmap Scans If you scan the port in the correlation event, note that...
  • Page 1308 Chapter 43 Configuring Active Scanning Managing Nmap Scanning Note that this option scans port 80 by default and that...
  • Page 1309 Chapter 43 Configuring Active Scanning Managing Nmap Scanning Use the following procedure to modify scan instances. Note that you can...
  • Page 1310 Chapter 43 Configuring Active Scanning Managing Nmap Scanning • Deleting an Nmap Remediation, page 43-16 Editing an Nmap Remediation...
  • Page 1311Chapter 43 Configuring Active Scanning Managing Scan Targets Note that Nmap-supplied server and operating system data remains static until you...
  • Page 1312 Chapter 43 Configuring Active Scanning Managing Scan Targets addresses to scan, as well as the ports on the host...
  • Page 1313 Chapter 43 Configuring Active Scanning Working with Active Scan Results Step 1 Select Policies > Actions > Scanners. The Scanners...
  • Page 1314 Chapter 43 Configuring Active Scanning Working with Active Scan Results Table 43-2 Scan Results Table Functions (continued) To... You...
  • Page 1315 Chapter 43 Configuring Active Scanning Working with Active Scan Results Understanding the Scan Results Table License: FireSIGHT When you run...
  • Page 1316 Chapter 43 Configuring Active Scanning Working with Active Scan Results Step 2 Click Scan Results. The first page of...
  • Page 1317 Chapter 43 Configuring Active Scanning Working with Active Scan Results Table 43-4 Scan Results Search Criteria Field Search Criteria Rules...
  • Page 1318 Chapter 43 Configuring Active Scanning Working with Active Scan Results • Click Save if you are modifying an existing...
  • Page 1319: Working with Reports CH A P T E R 44 Working with Reports The FireSIGHT System provides a flexible reporting system that...
  • Page 1320 Chapter 44 Working with Reports Generating Reports • Creating a Report Template by Importing a Dashboard or Workflow, page...
  • Page 1321 Chapter 44 Working with Reports Generating Reports Step 8 Optionally, add text sections. Click the add text section icon (...
  • Page 1322 Chapter 44 Working with Reports Generating Reports Step 2 Select Overview > Reporting. Step 3 Click the Report Templates...
  • Page 1323Chapter 44 Working with Reports Generating Reports The Reports tab page shows all locally stored reports. It shows remotely stored...
  • Page 1324 Chapter 44 Working with Reports Understanding Report Templates • the report link, which opens a new window to display...
  • Page 1325Chapter 44 Working with Reports Understanding Report Templates Your reports contain one or more information sections. You choose the format...
  • Page 1326 Chapter 44 Working with Reports Using Report Templates Table 44-3 Report Section Fields (continued) Field Name Definition Search or...
  • Page 1327 Chapter 44 Working with Reports Using Report Templates Creating Report Templates from Existing Templates License: Any You can build a...
  • Page 1328 Chapter 44 Working with Reports Using Report Templates Host Report: $<Host> The Host Report: $<Host> report template provides information...
  • Page 1329Chapter 44 Working with Reports Using Report Templates • Application Protocols Transferring Malware • Hosts Receiving Malware • Hosts Sending...
  • Page 1330 Chapter 44 Working with Reports Using Report Templates Files Report The Files Report report template provides information about files...
  • Page 1331 Chapter 44 Working with Reports Using Report Templates Step 4 Optionally, type a name for your new template in the...
  • Page 1332 Chapter 44 Working with Reports Using Report Templates Step 1 Select Overview > Reporting. Step 2 Click the Report...
  • Page 1333 Chapter 44 Working with Reports Using Report Templates To select the table and output format for a template section: Access:...
  • Page 1334 Chapter 44 Working with Reports Using Report Templates • For the Application Statistics table, the Filter drop-down list appears....
  • Page 1335 Chapter 44 Working with Reports Using Report Templates Step 5 Add formatted text and images to the body of the...
  • Page 1336 Chapter 44 Working with Reports Using Report Templates The Events Time Window page appears in a new window. For...
  • Page 1337 Chapter 44 Working with Reports Using Report Templates Previewing a Template Section License: Any The preview function shows the field...
  • Page 1338 Chapter 44 Working with Reports Using Report Templates For some search fields, the drop-down menu may contain user-defined managed...
  • Page 1339 Chapter 44 Working with Reports Using Report Templates Table 44-4 Predefined Input Parameters (continued) Insert this parameter... ...to include this...
  • Page 1340 Chapter 44 Working with Reports Using Report Templates Table 44-6 User-Defined Input Parameter Types Use this parameter type... With...
  • Page 1341Chapter 44 Working with Reports Using Report Templates To edit user-defined input parameters for a report template: Access: Admin/Any Security...
  • Page 1342 Chapter 44 Working with Reports Using Report Templates To constrain the search in a report template with user-defined input...
  • Page 1343 Chapter 44 Working with Reports Using Report Templates To set the document attributes for PDF and HTML reports: Access: Admin/Any...
  • Page 1344 Chapter 44 Working with Reports Using Report Templates The Advanced Settings pop-up window appears. Step 5 Click the edit...
  • Page 1345 Chapter 44 Working with Reports Using Report Templates The Upload Logo pop-up window appears. Step 7 Select the logo file...
  • Page 1346 Chapter 44 Working with Reports Using Report Generation Options To delete a logo from a Defense Center: Access: Admin/Any...
  • Page 1347 Chapter 44 Working with Reports Using Report Generation Options Distributing Reports by Email at Generation Time License: Any When you...
  • Page 1348 Chapter 44 Working with Reports Managing Report Templates and Report Files To use remote storage, you must first configure...
  • Page 1349 Chapter 44 Working with Reports Managing Report Templates and Report Files Exporting and Importing Report Templates License: Any The file...
  • Page 1350 Chapter 44 Working with Reports Managing Report Templates and Report Files • Type the path to the package you...
  • Page 1351 Chapter 44 Working with Reports Managing Report Templates and Report Files Tip Select the check box at the top left...
  • Page 1352 Chapter 44 Working with Reports Managing Report Templates and Report Files FireSIGHT System User Guide 44-34
  • Page 1353: Searching for Events CH A P T E R 45 Searching for Events Cisco appliances generate information that is stored as events...
  • Page 1354 Chapter 45 Searching for Events Performing and Saving Searches Note To search a custom table, follow a slightly different...
  • Page 1355 Chapter 45 Searching for Events Performing and Saving Searches • Searching for Hosts, page 38-23 • Searching for Intrusion Events,...
  • Page 1356 Chapter 45 Searching for Events Using Wildcards and Symbols in Searches • From any page on a workflow, click...
  • Page 1357 Chapter 45 Searching for Events Using Objects and Application Filters in Searches Using Objects and Application Filters in Searches License:...
  • Page 1358 Chapter 45 Searching for Events Specifying Ports in Searches When you use CIDR or prefix length notation to specify...
  • Page 1359 Chapter 45 Searching for Events Stopping Long-Running Queries \ Table 45-4 Port Syntax Examples Example Description 21 Returns all...
  • Page 1360 Chapter 45 Searching for Events Stopping Long-Running Queries To stop a query on the Defense Center: Access: admin or...
  • Page 1361: Using Custom Tables CH A P T E R 46 Using Custom Tables As the FireSIGHT System collects information about your network,...
  • Page 1362 Chapter 46 Using Custom Tables Understanding Custom Tables Table 46-1 System-Defined Custom Tables Table Description Hosts with Servers Includes...
  • Page 1363Chapter 46 Using Custom Tables Understanding Custom Tables Table 46-2 Custom Table Combinations (continued) You can combine fields from... With...
  • Page 1364 Chapter 46 Using Custom Tables Understanding Custom Tables Table 46-2 Custom Table Combinations (continued) You can combine fields from......
  • Page 1365Chapter 46 Using Custom Tables Creating a Custom Table table based on the Intrusion Events table and the Hosts table,...
  • Page 1366 Chapter 46 Using Custom Tables Creating a Custom Table If you view the table view of events for this...
  • Page 1367Chapter 46 Using Custom Tables Modifying a Custom Table The Custom Tables page appears. Step 2 Click Create Custom Table....
  • Page 1368 Chapter 46 Using Custom Tables Deleting a Custom Table The Edit Custom Table page appears. See Creating a Custom...
  • Page 1369Chapter 46 Using Custom Tables Searching Custom Tables To view a workflow based on a custom table: Access: Any/Admin Step...
  • Page 1370 Chapter 46 Using Custom Tables Searching Custom Tables Table 46-3 Table Search Criteria (continued) For search criteria for... See......
  • Page 1371Chapter 46 Using Custom Tables Searching Custom Tables Tip If you want to use the search as a data restriction...
  • Page 1372 Chapter 46 Using Custom Tables Searching Custom Tables FireSIGHT System User Guide 46-12
  • Page 1373: Understanding and Using Workflows CH A P T E R 47 Understanding and Using Workflows A workflow is a tailored series of data...
  • Page 1374 Chapter 47 Understanding and Using Workflows Components of a Workflow By contrast, the table view of servers includes the...
  • Page 1375 Chapter 47 Understanding and Using Workflows Components of a Workflow • Predefined Indications of Compromise Workflows, page 47-9 • Predefined...
  • Page 1376 Chapter 47 Understanding and Using Workflows Components of a Workflow Predefined Intrusion Event Workflows License: Protection The following table...
  • Page 1377 Chapter 47 Understanding and Using Workflows Components of a Workflow Table 47-1 Predefined Intrusion Event Workflows (continued) Workflow Name...
  • Page 1378 Chapter 47 Understanding and Using Workflows Components of a Workflow Note that because neither the DC500 Series 2 Defense...
  • Page 1379 Chapter 47 Understanding and Using Workflows Components of a Workflow For information on accessing captured files, see Working with...
  • Page 1380 Chapter 47 Understanding and Using Workflows Components of a Workflow Table 47-5 Predefined Connection Data Workflows (continued) Workflow Name...
  • Page 1381 Chapter 47 Understanding and Using Workflows Components of a Workflow Table 47-7 Predefined Host Workflows Workflow Name Description Hosts...
  • Page 1382 Chapter 47 Understanding and Using Workflows Components of a Workflow Table 47-9 Predefined Applications Workflows Workflow Name Description Application...
  • Page 1383 Chapter 47 Understanding and Using Workflows Components of a Workflow Predefined Servers Workflows License: FireSIGHT The following table describes...
  • Page 1384 Chapter 47 Understanding and Using Workflows Components of a Workflow Table 47-13 Predefined Discovery Event Workflows Workflow Name Description...
  • Page 1385 Chapter 47 Understanding and Using Workflows Components of a Workflow Table 47-16 Predefined Third-Party Vulnerabilities Workflows Workflow Name Description Vulnerabilities...
  • Page 1386 Chapter 47 Understanding and Using Workflows Components of a Workflow Table 47-18 Additional Predefined Workflows Workflow Name Description Audit...
  • Page 1387 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-19 Saved Custom Workflows (continued) Workflow Name Description Hosts with Servers...
  • Page 1388 Chapter 47 Understanding and Using Workflows Using Workflows • Using Compound Constraints, page 47-33 explains how compound constraints can...
  • Page 1389 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-20 Features Using Workflows (continued) Feature Menu Path Option Vulnerability events...
  • Page 1390 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-21 Workflow Toolbar Links Feature Description Bookmark This Page Bookmarks...
  • Page 1391 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-22 Table View and Drill-Down Page Features Feature Description Click the...
  • Page 1392 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-22 Table View and Drill-Down Page Features (continued) Feature Description...
  • Page 1393 Chapter 47 Understanding and Using Workflows Using Workflows You can use geolocation data (source and destination country/continent) as conditions for...
  • Page 1394 Chapter 47 Understanding and Using Workflows Using Workflows Tip In event views, hover your pointer over the flag icon...
  • Page 1395 Chapter 47 Understanding and Using Workflows Using Workflows Using the Host View, Packet View, or Vulnerability Detail Pages License: Any...
  • Page 1396 Chapter 47 Understanding and Using Workflows Using Workflows Changing the Time Window License: Any Regardless of the default time...
  • Page 1397Chapter 47 Understanding and Using Workflows Using Workflows If you use a static time window, you can set an end...
  • Page 1398 Chapter 47 Understanding and Using Workflows Using Workflows If you choose to use a sliding time window, your options...
  • Page 1399 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-25 Time Window Settings Setting Time Window Type Description time window...
  • Page 1400 Chapter 47 Understanding and Using Workflows Using Workflows Step 1 On a workflow constrained by time, click the time...
  • Page 1401 Chapter 47 Understanding and Using Workflows Using Workflows The following table explains the various settings you can configure on the...
  • Page 1402 Chapter 47 Understanding and Using Workflows Using Workflows To change time window preferences during event analysis: Access: Admin/Maint/Any Security...
  • Page 1403 Chapter 47 Understanding and Using Workflows Using Workflows The time window is unpaused and updates according to your preferences. The...
  • Page 1404 Chapter 47 Understanding and Using Workflows Using Workflows ...then the constrained page includes only the events with that IP...
  • Page 1405 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-27 Search Constraint Functions (continued) To... Click... remove a constraint the...
  • Page 1406 Chapter 47 Understanding and Using Workflows Using Workflows To clear all compound constraints, click Compound Constraints. Sorting Table View...
  • Page 1407 Chapter 47 Understanding and Using Workflows Using Workflows Step 1 Click the column title. To reverse the sort order: Access:...
  • Page 1408 Chapter 47 Understanding and Using Workflows Using Workflows Table 47-29 Navigating Pages (continued) To... Click... jump to the last...
  • Page 1409 Chapter 47 Understanding and Using Workflows Using Workflows • correlation events • white list events This feature enhances your ability...
  • Page 1410 Chapter 47 Understanding and Using Workflows Using Workflows Creating Bookmarks License: Any Use the following procedure to create a...
  • Page 1411 Chapter 47 Understanding and Using Workflows Using Custom Workflows The Bookmarks page appears. Step 2 Click Delete next to the...
  • Page 1412 Chapter 47 Understanding and Using Workflows Using Custom Workflows The final page of a custom workflow depends on the...
  • Page 1413 Chapter 47 Understanding and Using Workflows Using Custom Workflows Note If you selected Vulnerabilities as the Table Type in step...
  • Page 1414 Chapter 47 Understanding and Using Workflows Using Custom Workflows • To add a drill-down page that contains connection summary...
  • Page 1415 Chapter 47 Understanding and Using Workflows Using Custom Workflows Viewing Custom Workflows for Predefined Tables License: Any Use the following...
  • Page 1416 Chapter 47 Understanding and Using Workflows Using Custom Workflows Step 1 Select Analysis > Custom > Custom Workflows. The...
  • Page 1417: Managing Users 1 CH A P T E R 48 Managing Users If your user account has Administrator access, you can...
  • Page 1418 Chapter 48 Managing Users Understanding Cisco User Authentication For users with either internal or external authentication, you can control...
  • Page 1419 Chapter 48 Managing Users Understanding Cisco User Authentication Understanding Internal Authentication License: Any By default, the FireSIGHT System uses internal...
  • Page 1420 Chapter 48 Managing Users Understanding Cisco User Authentication For more information on specific types of external authentication, see the...
  • Page 1421 Chapter 48 Managing Users Managing Authentication Objects • Maintenance Users can access monitoring functions (including health monitoring, host statistics, performance...
  • Page 1422 Chapter 48 Managing Users Managing Authentication Objects LDAP, or the Lightweight Directory Access Protocol, allows you to set up...
  • Page 1423 Chapter 48 Managing Users Managing Authentication Objects You can populate several fields using default values based on the server type...
  • Page 1424 Chapter 48 Managing Users Managing Authentication Objects Setting the User Name Template License: Any Selecting a user name template...
  • Page 1425 Chapter 48 Managing Users Managing Authentication Objects Using Group Membership to Manage Access License: Any If you prefer to base...
  • Page 1426 Chapter 48 Managing Users Managing Authentication Objects For the user name, you can enter the value for the uid...
  • Page 1427 Chapter 48 Managing Users Managing Authentication Objects Quick Start to LDAP Authentication License: Any You can set up an LDAP...
  • Page 1428 Chapter 48 Managing Users Managing Authentication Objects • If you are connecting to a Microsoft Active Directory Server, select...
  • Page 1429 Chapter 48 Managing Users Managing Authentication Objects For example, to test to see if you can retrieve the JSmith user...
  • Page 1430 Chapter 48 Managing Users Managing Authentication Objects • If you used server type defaults, check that you have the...
  • Page 1431Chapter 48 Managing Users Managing Authentication Objects When you create an authentication object, you define settings that let you connect...
  • Page 1432 Chapter 48 Managing Users Managing Authentication Objects Identifying the LDAP Authentication Server License: Any When you create an authentication...
  • Page 1433 Chapter 48 Managing Users Managing Authentication Objects Configuring LDAP-Specific Parameters License: Any The settings in the LDAP-specific parameters section determine...
  • Page 1434 Chapter 48 Managing Users Managing Authentication Objects Table 48-2 LDAP-Specific Parameters (continued) Setting Description Example Encryption Determines whether and...
  • Page 1435 Chapter 48 Managing Users Managing Authentication Objects Table 48-2 LDAP-Specific Parameters (continued) Setting Description Example UI Access Tells the local...
  • Page 1436 Chapter 48 Managing Users Managing Authentication Objects Step 4 Retype the password in the Confirm Password field. Step 5...
  • Page 1437 Chapter 48 Managing Users Managing Authentication Objects For example, on a Microsoft Active Directory Server, use the sAMAccountName shell access...
  • Page 1438 Chapter 48 Managing Users Managing Authentication Objects To configure default roles based on group membership: Access: Admin Step 1...
  • Page 1439 Chapter 48 Managing Users Managing Authentication Objects Note that a home directory for each shell user is created on login,...
  • Page 1440 Chapter 48 Managing Users Managing Authentication Objects The test output lists valid and invalid user names. Valid user names...
  • Page 1441Chapter 48 Managing Users Managing Authentication Objects FireSIGHT System User Guide 48-25
  • Page 1442 Chapter 48 Managing Users Managing Authentication Objects This example shows a connection using a base distinguished name of OU=security,DC=it,DC=example,DC=com...
  • Page 1443Chapter 48 Managing Users Managing Authentication Objects The connection to the server is encrypted using SSL and a certificate named...
  • Page 1444 Chapter 48 Managing Users Managing Authentication Objects The shell access filter is set to be the same as the...
  • Page 1445 Chapter 48 Managing Users Managing Authentication Objects Editing LDAP Authentication Objects License: Any You can edit an existing authentication object....
  • Page 1446 Chapter 48 Managing Users Managing Authentication Objects The Remote Authentication Dial In User Service (RADIUS) is an authentication protocol...
  • Page 1447 Chapter 48 Managing Users Managing Authentication Objects Step 5 Set the default user role. Optionally, specify the users or user...
  • Page 1448 Chapter 48 Managing Users Managing Authentication Objects Step 4 Select RADIUS from the Authentication Method drop-down list. RADIUS configuration...
  • Page 1449Chapter 48 Managing Users Managing Authentication Objects • If specific access settings are not configured for a user and a...
  • Page 1450 Chapter 48 Managing Users Managing Authentication Objects Configuring Administrative Shell Access License: Any You can also use the RADIUS...
  • Page 1451 Chapter 48 Managing Users Managing Authentication Objects If your RADIUS server returns values for attributes not included in the dictionary...
  • Page 1452 Chapter 48 Managing Users Managing Authentication Objects Tip If you mistype the name or password of the test user,...
  • Page 1453 Chapter 48 Managing Users Managing Authentication Objects • The user jausten is granted Security Analyst access to FireSIGHT System appliances...
  • Page 1454 Chapter 48 Managing Users Managing Authentication Objects You can use an attribute-value pair to identify users who should receive...
  • Page 1455Chapter 48 Managing Users Managing Authentication Objects FireSIGHT System User Guide 48-39
  • Page 1456 Chapter 48 Managing Users Managing Authentication Objects Editing RADIUS Authentication Objects License: Any You can edit an existing authentication...
  • Page 1457 Chapter 48 Managing Users Managing User Accounts Step 3 Click the delete icon ( ) next to the object you...
  • Page 1458 Chapter 48 Managing Users Managing User Accounts Step 1 Select System > Local > User Management. The User Management...
  • Page 1459 Chapter 48 Managing Users Managing User Accounts If you enable password strength checking, the password must be at least eight...
  • Page 1460 Chapter 48 Managing Users Managing User Accounts Table 48-3 Basic Command Line Commands configure password interfaces end lcd exit...
  • Page 1461 Chapter 48 Managing Users Managing User Accounts Managing Externally Authenticated User Accounts License: Any When an externally authenticated user logs...
  • Page 1462 Chapter 48 Managing Users Managing User Accounts You can control how and when the password for each user account...
  • Page 1463 Chapter 48 Managing Users Managing User Accounts Configuring User Roles License: Any Each FireSIGHT System user has an associated user...
  • Page 1464 Chapter 48 Managing Users Managing User Accounts Table 48-5 Predefined User Roles User Role Privileges Access Admin Provides access...
  • Page 1465 Chapter 48 Managing Users Managing User Accounts Note that externally authenticated users, if assigned no other roles, have minimum access...
  • Page 1466 Chapter 48 Managing Users Managing User Accounts grants access to the Correlation Events page, while the Modify Correlation Events...
  • Page 1467 Chapter 48 Managing Users Managing User Accounts When you select an unselected permission, all of its children are selected, and...
  • Page 1468 Chapter 48 Managing Users Managing User Accounts Step 1 Select System > Local > User Management. The User Management...
  • Page 1469 Chapter 48 Managing Users Managing User Accounts Understanding Restricted User Access Properties License: Any You can restrict the data that...
  • Page 1470 Chapter 48 Managing Users Managing User Accounts Deleting User Accounts License: Any You can delete user accounts from the...
  • Page 1471 Chapter 48 Managing Users Managing User Accounts The following table lists, in order, the user role privileges required to access...
  • Page 1472 Chapter 48 Managing Users Managing User Accounts The following table lists, in order, the user role privileges required to...
  • Page 1473 Chapter 48 Managing Users Managing User Accounts Table 48-7 Analysis Menu (continued) Discovery Security Security Menu Admin Admin Maint User...
  • Page 1474 Chapter 48 Managing Users Managing User Accounts Table 48-7 Analysis Menu (continued) Discovery Security Security Menu Admin Admin Maint...
  • Page 1475 Chapter 48 Managing Users Managing User Accounts Table 48-8 Policies Menu (continued) Access Discovery Intrusion Network Security Menu Admin Admin...
  • Page 1476 Chapter 48 Managing Users Managing User Accounts Table 48-9 Devices Menu Menu Admin Network Admin Device Management yes yes...
  • Page 1477 Chapter 48 Managing Users Managing User Accounts System Menu License: Any The following table lists, in order, the user role...
  • Page 1478 Chapter 48 Managing Users Managing User Role Escalation Table 48-11 System Menu (continued) Maint Network Security Security Menu Admin...
  • Page 1479 Chapter 48 Managing Users Managing User Role Escalation The User Management page appears. Step 2 Click User Roles. The User...
  • Page 1480 Chapter 48 Managing Users Configuring Single Sign-on from Cisco Security Manager • If you want users with this role...
  • Page 1481Chapter 48 Managing Users Configuring Single Sign-on from Cisco Security Manager to modify the policies applied to the FirePOWER module...
  • Page 1482 Chapter 48 Managing Users Configuring Single Sign-on from Cisco Security Manager FireSIGHT System User Guide 48-66
  • Page 1483: Scheduling Tasks CH A P T E R 49 Scheduling Tasks You can schedule many different types of administrative tasks to...
  • Page 1484 Chapter 49 Scheduling Tasks Configuring a Recurring Task Configuring a Recurring Task License: Any You set the frequency for...
  • Page 1485Chapter 49 Scheduling Tasks Automating Backup Jobs – Automating Certificate Revocation List Downloads, page 49-4 – Automating Nmap Scans, page...
  • Page 1486 Chapter 49 Scheduling Tasks Automating Certificate Revocation List Downloads Step 8 Optionally, in the Email Status To: field, type...
  • Page 1487 Chapter 49 Scheduling Tasks Automating Nmap Scans You must have a valid email relay server configured on the Defense Center...
  • Page 1488 Chapter 49 Scheduling Tasks Automating Applying an Intrusion Policy operating systems, applications, or servers up to date. If the...
  • Page 1489Chapter 49 Scheduling Tasks Automating Applying an Intrusion Policy You must associate an intrusion policy with an access control policy...
  • Page 1490 Chapter 49 Scheduling Tasks Automating Reports You must have a valid email relay server configured to send status messages....
  • Page 1491Chapter 49 Scheduling Tasks Automating Geolocation Database Updates Step 8 Optionally, in the Email Status To: field, type the email...
  • Page 1492 Chapter 49 Scheduling Tasks Automating FireSIGHT Recommendations Automating FireSIGHT Recommendations License: Protection You can automatically generate rule state recommendations...
  • Page 1493Chapter 49 Scheduling Tasks Automating Software Updates Tip The comment field appears in the View Tasks section of the page,...
  • Page 1494 Chapter 49 Scheduling Tasks Automating Software Updates Always allow enough time between tasks for the process to complete. Tasks...
  • Page 1495 Chapter 49 Scheduling Tasks Automating Software Updates You must have a valid email relay server configured to send status messages....
  • Page 1496 Chapter 49 Scheduling Tasks Automating Software Updates You must have a valid email relay server configured to send status...
  • Page 1497Chapter 49 Scheduling Tasks Automating Vulnerability Database Updates Step 9 Optionally, in the Email Status To: field, type the email...
  • Page 1498 Chapter 49 Scheduling Tasks Automating Vulnerability Database Updates Automating VDB Update Downloads License: FireSIGHT You can create a scheduled...
  • Page 1499Chapter 49 Scheduling Tasks Automating URL Filtering Updates Note Installing a VDB update causes a short pause in traffic flow...
  • Page 1500 Chapter 49 Scheduling Tasks Automating URL Filtering Updates You can use the scheduler to automate updates of URL filtering...
  • Page 1501 Chapter 49 Scheduling Tasks Viewing Tasks Viewing Tasks License: Any After adding scheduled tasks, you can view them and evaluate...
  • Page 1502 Chapter 49 Scheduling Tasks Editing Scheduled Tasks Table 49-1 Task List Columns Column Description Name Displays the name of...
  • Page 1503 Chapter 49 Scheduling Tasks Deleting Scheduled Tasks • Automating Software Updates, page 49-11 • Automating Vulnerability Database Updates, page 49-15...
  • Page 1504 Chapter 49 Scheduling Tasks Deleting Scheduled Tasks To delete a single task or, if it has already run, delete...
  • Page 1505: Managing System Policies CH A P T E R 50 Managing System Policies A system policy allows you to manage the following...
  • Page 1506 Chapter 50 Managing System Policies Creating a System Policy Note You cannot apply a system policy to Sourcefire Software...
  • Page 1507Chapter 50 Managing System Policies Editing a System Policy • Configuring a Mail Relay Host and Notification Address, page 50-17...
  • Page 1508 Chapter 50 Managing System Policies Applying a System Policy • Configuring SNMP Polling, page 50-21 • Synchronizing Time, page...
  • Page 1509 Chapter 50 Managing System Policies Applying a System Policy You can compare two system policies or two revisions of the...
  • Page 1510 Chapter 50 Managing System Policies Applying a System Policy Using the System Policy Comparison Report License: Any A system...
  • Page 1511Chapter 50 Managing System Policies Deleting System Policies The system policy comparison report appears. Depending on your browser settings, the...
  • Page 1512 Chapter 50 Managing System Policies Configuring a System Policy Configuring Access Control Policy Preferences License: Protection You can configure...
  • Page 1513Chapter 50 Managing System Policies Configuring a System Policy The Access List page allows you to control which computers can...
  • Page 1514 Chapter 50 Managing System Policies Configuring a System Policy Step 6 Select SSH, HTTPS, SNMP, or a combination of...
  • Page 1515 Chapter 50 Managing System Policies Configuring a System Policy The Audit Log Settings page appears. Step 4 Select Enabled from...
  • Page 1516 Chapter 50 Managing System Policies Configuring a System Policy When you apply a system policy with authentication enabled to...
  • Page 1517 Chapter 50 Managing System Policies Configuring a System Policy Step 1 Select System > Local > System Policy. The System...
  • Page 1518 Chapter 50 Managing System Policies Configuring a System Policy Step 2 You have the following options: • To modify...
  • Page 1519 Chapter 50 Managing System Policies Configuring a System Policy Table 50-2 Database Event Limits (continued) Event Type Upper Event Limit...
  • Page 1520 Chapter 50 Managing System Policies Configuring a System Policy The Database page appears. Step 4 For each of the...
  • Page 1521 Chapter 50 Managing System Policies Configuring a System Policy Note DNS resolution caching is a system-wide setting that allows the...
  • Page 1522 Chapter 50 Managing System Policies Configuring a System Policy • To configure the email settings as part of a...
  • Page 1523 Chapter 50 Managing System Policies Configuring a System Policy To configure the intrusion policy comment settings: Access: Admin Step 1...
  • Page 1524 Chapter 50 Managing System Policies Configuring a System Policy • To modify the language settings in an existing system...
  • Page 1525 Chapter 50 Managing System Policies Configuring a System Policy Configuring SNMP Polling License: Any You can enable Simple Network Management...
  • Page 1526 Chapter 50 Managing System Policies Configuring a System Policy Step 7 Enter a username in the Username field. Step...
  • Page 1527 Chapter 50 Managing System Policies Configuring a System Policy Caution You cannot disable this setting without assistance from Support. In...
  • Page 1528 Chapter 50 Managing System Policies Configuring a System Policy Time settings are part of the system policy. You can...
  • Page 1529 Chapter 50 Managing System Policies Configuring a System Policy • To receive time through NTP from a different server, select...
  • Page 1530 Chapter 50 Managing System Policies Configuring a System Policy Step 1 Select System > Local > System Policy. The...
  • Page 1531 Chapter 50 Managing System Policies Configuring a System Policy To configure user interface settings: Access: Admin Step 1 Select System...
  • Page 1532 Chapter 50 Managing System Policies Configuring a System Policy For example, a host serves SMTP traffic that does not...
  • Page 1533: Configuring Appliance Settings CH A P T E R 51 Configuring Appliance Settings A FireSIGHT System appliance’s local configuration (System > Local...
  • Page 1534 Chapter 51 Configuring Appliance Settings Viewing and Modifying the Appliance Information Table 51-1 Local Configuration Options (continued) Option Description...
  • Page 1535 Chapter 51 Configuring Appliance Settings Using Custom HTTPS Certificates Table 51-2 Appliance Information (continued) Field Description Current Policies The appliance-level...
  • Page 1536 Chapter 51 Configuring Appliance Settings Using Custom HTTPS Certificates Table 51-3 HTTPS Server Certificate Information Field Description Subject For...
  • Page 1537 Chapter 51 Configuring Appliance Settings Using Custom HTTPS Certificates Step 3 Click Generate New CSR. The Generate Certificate Signing Request...
  • Page 1538 Chapter 51 Configuring Appliance Settings Using Custom HTTPS Certificates Step 6 Open any intermediate certificates you need to provide,...
  • Page 1539Chapter 51 Configuring Appliance Settings Enabling Access to the Database Step 6 Verify that you have a valid user certificate...
  • Page 1540 Chapter 51 Configuring Appliance Settings Configuring Network Settings The Information page appears. Step 2 Click Database. The Database Settings...
  • Page 1541Chapter 51 Configuring Appliance Settings Configuring Network Settings Note You must use command-line tools to modify network and proxy settings...
  • Page 1542 Chapter 51 Configuring Appliance Settings Editing Management Interface Configurations Step 1 Select System > Local > Configuration to display...
  • Page 1543Chapter 51 Configuring Appliance Settings Shutting Down and Restarting the System Caution Do not modify the settings for the management...
  • Page 1544 Chapter 51 Configuring Appliance Settings Setting the Time Manually Caution Do not shut off appliances using the power button;...
  • Page 1545Chapter 51 Configuring Appliance Settings Setting the Time Manually Table 51-4 NTP Status Column Description NTP Server The IP address...
  • Page 1546 Chapter 51 Configuring Appliance Settings Managing Remote Storage A pop-up window appears. Step 6 From the left list, select...
  • Page 1547 Chapter 51 Configuring Appliance Settings Managing Remote Storage To store backups and reports locally: Access: Admin Step 1 Select System...
  • Page 1548 Chapter 51 Configuring Appliance Settings Managing Remote Storage Step 7 Optionally, click Test. The test ensures that the Defense...
  • Page 1549 Chapter 51 Configuring Appliance Settings Managing Remote Storage Step 8 Click Save. Your remote storage configuration is saved. Using SMB...
  • Page 1550 Chapter 51 Configuring Appliance Settings Understanding Change Reconciliation • Enter the user name for the storage system in the...
  • Page 1551Chapter 51 Configuring Appliance Settings Understanding Change Reconciliation You can view changes made during the previous 24 hours. However, to...
  • Page 1552 Chapter 51 Configuring Appliance Settings Managing Remote Console Access Note This option is not available on managed devices. Step...
  • Page 1553 Chapter 51 Configuring Appliance Settings Managing Remote Console Access Note Before you can connect to a Series 3 device using...
  • Page 1554 Chapter 51 Configuring Appliance Settings Managing Remote Console Access Supported Devices: Series 3 Supported Defense Centers: Series 3 You...
  • Page 1555Chapter 51 Configuring Appliance Settings Managing Remote Console Access You use a third-party IPMI utility on your computer to create...
  • Page 1556 Chapter 51 Configuring Appliance Settings Managing Remote Console Access ipmitool -I lanplus -H IP_address -U user_name sol activate Note...
  • Page 1557 Chapter 51 Configuring Appliance Settings Enabling Cloud Communications . Table 51-6 Lights-Out Management Commands IPMItool IPMIutil Description (not applicable)...
  • Page 1558 Chapter 51 Configuring Appliance Settings Enabling Cloud Communications Supported Defense Centers: Any except DC500 The FireSIGHT System contacts the...
  • Page 1559Chapter 51 Configuring Appliance Settings Enabling Cloud Communications Use legacy port 32137 for network AMP lookups Selecting this check box...
  • Page 1560 Chapter 51 Configuring Appliance Settings Enabling Cloud Communications The following procedures explain how to enable communications the Cisco cloud,...
  • Page 1561: Licensing the FireSIGHT System CH A P T E R 52 Licensing the FireSIGHT System You can license a variety of features to...
  • Page 1562 Chapter 52 Licensing the FireSIGHT System Understanding Licensing • License Types and Restrictions, page 52-2 • Licensing High Availability...
  • Page 1563 Chapter 52 Licensing the FireSIGHT System Understanding Licensing Table 52-1 FireSIGHT System Licenses (continued) License Platforms Granted Capabilities Requires URL...
  • Page 1564 Chapter 52 Licensing the FireSIGHT System Understanding Licensing RNA Host and RUA User License: Custom In Version 4.10.x of...
  • Page 1565 Chapter 52 Licensing the FireSIGHT System Understanding Licensing • File control allows you to detect and, optionally, block users from...
  • Page 1566 Chapter 52 Licensing the FireSIGHT System Understanding Licensing Further, you cannot apply a device configuration that includes switching or...
  • Page 1567 Chapter 52 Licensing the FireSIGHT System Understanding Licensing and Spero analysis to determine whether they contain malware. The Malware license...
  • Page 1568 Chapter 52 Licensing the FireSIGHT System Understanding Licensing Licensing Stacked and Clustered Devices License: Any Supported Devices: feature dependent...
  • Page 1569 Chapter 52 Licensing the FireSIGHT System Understanding Licensing Table 52-2 FireSIGHT Limits by Defense Center Model (continued) Defense Center Model...
  • Page 1570 Chapter 52 Licensing the FireSIGHT System Understanding Licensing To help you track your host license use, the FireSIGHT Host...
  • Page 1571Chapter 52 Licensing the FireSIGHT System Viewing Your Licenses You must make sure the total number of users in the...
  • Page 1572 Chapter 52 Licensing the FireSIGHT System Deleting a License Note If you add licenses after a backup has completed,...
  • Page 1573Chapter 52 Licensing the FireSIGHT System Changing a Device’s Licensed Capabilities The Licenses page appears. Step 2 Next to the...
  • Page 1574 Chapter 52 Licensing the FireSIGHT System Changing a Device’s Licensed Capabilities The changes are saved but do not take...
  • Page 1575: Updating System Software CH A P T E R 53 Updating System Software Cisco electronically distributes several different types of updates, including...
  • Page 1576 Chapter 53 Updating System Software Performing Software Updates Table 53-1 FireSIGHT System Update Types Update Type Description Schedule? Uninstall?...
  • Page 1577 Chapter 53 Updating System Software Performing Software Updates • Monitoring the Status of Major Updates, page 53-10 Planning for the...
  • Page 1578 Chapter 53 Updating System Software Performing Software Updates Order of Update You must update your Defense Centers before you...
  • Page 1579Chapter 53 Updating System Software Performing Software Updates Updating Paired Defense Centers When you begin to update one Defense Center...
  • Page 1580 Chapter 53 Updating System Software Performing Software Updates To prevent you from using an appliance during a major update,...
  • Page 1581Chapter 53 Updating System Software Performing Software Updates For major updates, updating the Defense Center removes uninstallers for previous updates....
  • Page 1582 Chapter 53 Updating System Software Performing Software Updates • For minor updates, you can monitor the update's progress in...
  • Page 1583Chapter 53 Updating System Software Performing Software Updates • Sourcefire: (https://support.sourcefire.com/) • Cisco: (http://www.cisco.com/cisco/web/support/index.html) Next, install the software. Note Traffic...
  • Page 1584 Chapter 53 Updating System Software Performing Software Updates The update process begins. Depending on the size of the file,...
  • Page 1585Chapter 53 Updating System Software Uninstalling Software Updates Caution If you encounter any other issue with the update (for example,...
  • Page 1586 Chapter 53 Updating System Software Uninstalling Software Updates To ensure continuity of operations, uninstall the update from clustered devices...
  • Page 1587Chapter 53 Updating System Software Updating the Vulnerability Database Step 4 Clear your browser cache and force a reload of...
  • Page 1588 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files – Cisco: (http://www.cisco.com/cisco/web/support/index.html) • If your Defense...
  • Page 1589 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files Rule updates may also change the default state...
  • Page 1590 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files Using Manual One-Time Rule Updates License: Any...
  • Page 1591 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files If you did not select Reapply intrusion policies...
  • Page 1592 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files Using Recurring Rule Updates License: Any You...
  • Page 1593 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files The rule update is installed at the scheduled...
  • Page 1594 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files • You can reinstate a local rule...
  • Page 1595 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files Note Managed devices do not use the new...
  • Page 1596 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files Tip You can also click Import Rules...
  • Page 1597 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files Table 53-4 Rule Update Import Log Detailed View...
  • Page 1598 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files Table 53-5 Rule Update Import Log Detailed...
  • Page 1599 Chapter 53 Updating System Software Importing Rule Updates and Local Rule Files You can search the import log for specific...
  • Page 1600 Chapter 53 Updating System Software Updating the Geolocation Database Step 2 From the Table drop-down list, select Rule Update...
  • Page 1601Chapter 53 Updating System Software Updating the Geolocation Database This section explains how to plan for and perform manual GeoDB...
  • Page 1602 Chapter 53 Updating System Software Updating the Geolocation Database FireSIGHT System User Guide 53-28
  • Page 1603: Monitoring the System CH A P T E R 54 Monitoring the System The FireSIGHT System provides many useful monitoring features to...
  • Page 1604 Chapter 54 Monitoring the System Viewing Host Statistics • general host statistics; see the Host Statistics table for details...
  • Page 1605Chapter 54 Monitoring the System Monitoring System Status and Disk Space Usage Table 54-2 Data Correlator Process Statistics (continued) Category...
  • Page 1606 Chapter 54 Monitoring the System Viewing System Process Status The Disk Usage section of the Statistics page provides a...
  • Page 1607Chapter 54 Monitoring the System Viewing System Process Status Table 54-4 Process Status Column Description Pid The process ID number...
  • Page 1608 Chapter 54 Monitoring the System Understanding Running Processes • nice usage percentage (CPU usage of processes that have a...
  • Page 1609 Chapter 54 Monitoring the System Understanding Running Processes Daemons continually run on an appliance. They ensure that services are available...
  • Page 1610 Chapter 54 Monitoring the System Understanding Running Processes Table 54-5 System Daemons (continued) Daemon Description sftunnel Provides the secure...
  • Page 1611Chapter 54 Monitoring the System Understanding Running Processes Table 54-6 System Executables and Utilities (continued) Executable Description kill Utility that...
  • Page 1612 Chapter 54 Monitoring the System Understanding Running Processes FireSIGHT System User Guide 54-10
  • Page 1613: Using Health Monitoring CH A P T E R 55 Using Health Monitoring The health monitor provides numerous tests for determining the...
  • Page 1614 Chapter 55 Using Health Monitoring Understanding Health Monitoring You can use the health monitor to check the status of...
  • Page 1615 Chapter 55 Using Health Monitoring Understanding Health Monitoring a health policy to that device. For more information on the Cisco-provided...
  • Page 1616 Chapter 55 Using Health Monitoring Understanding Health Monitoring Table 55-1 Health Modules (continued) Module Description Discovery Event Status This...
  • Page 1617 Chapter 55 Using Health Monitoring Understanding Health Monitoring Table 55-1 Health Modules (continued) Module Description Power Supply This module determines...
  • Page 1618 Chapter 55 Using Health Monitoring Configuring Health Policies Understanding Health Monitoring Configuration License: Any There are several steps to...
  • Page 1619 Chapter 55 Using Health Monitoring Configuring Health Policies For more information on the default health policy, which is applied to...
  • Page 1620 Chapter 55 Using Health Monitoring Configuring Health Policies Table 55-2 Default Active Health Modules (continued) Defense Managed Module Center...
  • Page 1621Chapter 55 Using Health Monitoring Configuring Health Policies Step 5 Enter a description for the policy. Step 6 Select Save...
  • Page 1622 Chapter 55 Using Health Monitoring Configuring Health Policies You must apply the policy to each appliance for it to...
  • Page 1623 Chapter 55 Using Health Monitoring Configuring Health Policies Step 2 Select On for the Enabled option to enable use of...
  • Page 1624 Chapter 55 Using Health Monitoring Configuring Health Policies For more information on automatic application bypass, see Automatic Application Bypass,...
  • Page 1625 Chapter 55 Using Health Monitoring Configuring Health Policies • To return to the Health Policy page without saving any of...
  • Page 1626 Chapter 55 Using Health Monitoring Configuring Health Policies To configure Discovery Event Status module settings: Access: Admin/Maint Step 1...
  • Page 1627 Chapter 55 Using Health Monitoring Configuring Health Policies You must apply the health policy to the appropriate devices if you...
  • Page 1628 Chapter 55 Using Health Monitoring Configuring Health Policies You must apply the health policy to the appropriate appliances if...
  • Page 1629 Chapter 55 Using Health Monitoring Configuring Health Policies Step 1 In the Health Policy Configuration page, select FireSIGHT Host License...
  • Page 1630 Chapter 55 Using Health Monitoring Configuring Health Policies You must apply the health policy to the appropriate devices if...
  • Page 1631 Chapter 55 Using Health Monitoring Configuring Health Policies Configuring Inline Link Mismatch Alarm Monitoring License: Any Use the Inline Link...
  • Page 1632 Chapter 55 Using Health Monitoring Configuring Health Policies The Health Policy Configuration — Intrusion Event Rate page appears. Step...
  • Page 1633 Chapter 55 Using Health Monitoring Configuring Health Policies • To save your changes to this module and return to the...
  • Page 1634 Chapter 55 Using Health Monitoring Configuring Health Policies • To return to the Health Policy page without saving any...
  • Page 1635 Chapter 55 Using Health Monitoring Configuring Health Policies • If a process is deliberately exited outside of the process manager,...
  • Page 1636 Chapter 55 Using Health Monitoring Configuring Health Policies • To return to the Health Policy page without saving any...
  • Page 1637 Chapter 55 Using Health Monitoring Configuring Health Policies Configuring Time Series Data Monitoring License: Any Use the Time Series Data...
  • Page 1638 Chapter 55 Using Health Monitoring Configuring Health Policies You must apply the health policy to the appropriate devices if...
  • Page 1639 Chapter 55 Using Health Monitoring Configuring Health Policies The URL Filtering Monitor module also tracks communications between the Defense Center...
  • Page 1640 Chapter 55 Using Health Monitoring Configuring Health Policies You must apply the health policy to the Defense Center if...
  • Page 1641 Chapter 55 Using Health Monitoring Configuring Health Policies Note Custom health policies created on Defense Centers in a high availability...
  • Page 1642 Chapter 55 Using Health Monitoring Configuring Health Policies Table 55-3 Health Modules Applicable to Appliances (continued) Module Applicable Appliance...
  • Page 1643 Chapter 55 Using Health Monitoring Configuring Health Policies • Configuring Discovery Event Status Monitoring, page 55-13 • Configuring Disk Status...
  • Page 1644 Chapter 55 Using Health Monitoring Configuring Health Policies There are two tools you can use to compare health policies...
  • Page 1645Chapter 55 Using Health Monitoring Configuring Health Policies A health policy comparison report is a record of all differences between...
  • Page 1646 Chapter 55 Using Health Monitoring Using the Health Monitor Blacklist The health policy report appears. Depending on your browser...
  • Page 1647 Chapter 55 Using Health Monitoring Using the Health Monitor Blacklist To temporarily disable health events from an appliance, go to...
  • Page 1648 Chapter 55 Using Health Monitoring Using the Health Monitor Blacklist modules on an appliance, see Blacklisting a Health Policy...
  • Page 1649 Chapter 55 Using Health Monitoring Configuring Health Monitor Alerts When any part of a module is blacklisted, the line for...
  • Page 1650 Chapter 55 Using Health Monitoring Configuring Health Monitor Alerts When you create a health monitor alert, you create an...
  • Page 1651 Chapter 55 Using Health Monitoring Configuring Health Monitor Alerts For more information on health alert severity levels, see the following...
  • Page 1652 Chapter 55 Using Health Monitoring Using the Health Monitor To delete health monitor alerts: Access: Admin Step 1 Select...
  • Page 1653 Chapter 55 Using Health Monitoring Using Appliance Health Monitors Available status categories, by severity, include Error, Critical, Warning, Normal, Recovered,...
  • Page 1654 Chapter 55 Using Health Monitoring Using Appliance Health Monitors Step 3 In the Appliance column of the appliance list,...
  • Page 1655 Chapter 55 Using Health Monitoring Using Appliance Health Monitors To run all health modules for the appliance: Access: Admin/Maint/Any Security...
  • Page 1656 Chapter 55 Using Health Monitoring Using Appliance Health Monitors Step 4 In the Module Status Summary graph of the...
  • Page 1657 Chapter 55 Using Health Monitoring Using Appliance Health Monitors Using the Health Monitor to Troubleshoot License: Any In some cases,...
  • Page 1658 Chapter 55 Using Health Monitoring Working with Health Events Tip If the arrow in the row for a status...
  • Page 1659 Chapter 55 Using Health Monitoring Working with Health Events Many functions that you can perform on the health event view...
  • Page 1660 Chapter 55 Using Health Monitoring Working with Health Events When you access health events from the Health Monitor page...
  • Page 1661 Chapter 55 Using Health Monitoring Working with Health Events If no events appear, you may need to adjust the time...
  • Page 1662 Chapter 55 Using Health Monitoring Working with Health Events Table 55-8 Health Event View Functions (continued) To... You can......
  • Page 1663 Chapter 55 Using Health Monitoring Working with Health Events Table 55-9 Conditions Monitored for 3D9900 Devices (continued) Condition Monitored Causes...
  • Page 1664 Chapter 55 Using Health Monitoring Working with Health Events Table 55-10 Conditions Monitored for Series 3 Devices (continued) Condition...
  • Page 1665 Chapter 55 Using Health Monitoring Working with Health Events The fields in the health events table are described in the...
  • Page 1666 Chapter 55 Using Health Monitoring Working with Health Events You can search for specific health events. You may want...
  • Page 1667Chapter 55 Using Health Monitoring Working with Health Events Tip If you want to use the search as a data...
  • Page 1668 Chapter 55 Using Health Monitoring Working with Health Events FireSIGHT System User Guide 55-56
  • Page 1669: Auditing the System CH A P T E R 56 Auditing the System You can audit activity on your system in two...
  • Page 1670 Chapter 56 Auditing the System Managing Audit Records Viewing Audit Records License: Any You can use the appliance to...
  • Page 1671 Chapter 56 Auditing the System Managing Audit Records Table 56-1 Audit Log Actions (continued) To... You can... constraining on a...
  • Page 1672 Chapter 56 Auditing the System Managing Audit Records You can change the layout of the event view or constrain...
  • Page 1673 Chapter 56 Auditing the System Managing Audit Records Table 56-2 Audit Block Types Type Description Address Create a file named...
  • Page 1674 Chapter 56 Auditing the System Managing Audit Records Table 56-3 Subsystem Names (continued) Name Includes user interactions with... Events...
  • Page 1675 Chapter 56 Auditing the System Managing Audit Records Table 56-3 Subsystem Names (continued) Name Includes user interactions with... Task Queue...
  • Page 1676 Chapter 56 Auditing the System Managing Audit Records Differences between the two configurations are highlighted: • Blue indicates that...
  • Page 1677 Chapter 56 Auditing the System Managing Audit Records Table 56-5 Audit Record Search Criteria (continued) Search Field Description Example Time...
  • Page 1678 Chapter 56 Auditing the System Viewing the System Log • Click Save if you are modifying an existing search...
  • Page 1679 Chapter 56 Auditing the System Viewing the System Log Caution The System Log page does not allow the use...
  • Page 1680 Chapter 56 Auditing the System Viewing the System Log Note Only Grep-compatible search syntax is supported. For example, you...
  • Page 1681: Using Backup and Restore CH A P T E R 57 Using Backup and Restore Backup and restoration is an essential part of...
  • Page 1682 Chapter 57 Using Backup and Restore Creating Backup Files • See Restoring the Appliance from a Backup File, page...
  • Page 1683Chapter 57 Using Backup and Restore Creating Backup Profiles Step 3 In the Name field, type a name for the...
  • Page 1684 Chapter 57 Using Backup and Restore Backing up Your Managed Devices with a Defense Center You can use the...
  • Page 1685Chapter 57 Using Backup and Restore Uploading Backups from a Local Host The Backup Management page appears. Step 2 Click...
  • Page 1686 Chapter 57 Using Backup and Restore Restoring the Appliance from a Backup File The backup file is uploaded and...
  • Page 1687Chapter 57 Using Backup and Restore Restoring the Appliance from a Backup File Table 57-1 Backup Management (continued) Functionality Description...
  • Page 1688 Chapter 57 Using Backup and Restore Restoring the Appliance from a Backup File FireSIGHT System User Guide 57-8
  • Page 1689: Specifying User Preferences CH A P T E R 58 Specifying User Preferences You can configure the preferences that are tied to...
  • Page 1690 Chapter 58 Specifying User Preferences Specifying Your Home Page Step 1 From the drop-down list under your user name,...
  • Page 1691 Chapter 58 Specifying User Preferences Configuring Event View Settings Step 2 Click Home Page. The Home Page page appears. Step...
  • Page 1692 Chapter 58 Specifying User Preferences Configuring Event View Settings Use the Event Preferences section of the Event View Settings...
  • Page 1693 Chapter 58 Specifying User Preferences Configuring Event View Settings • The Show Zip File Password check box toggles displaying plain...
  • Page 1694 Chapter 58 Specifying User Preferences Configuring Event View Settings • The Show the Last - Sliding option allows you...
  • Page 1695Chapter 58 Specifying User Preferences Setting Your Default Time Zone The appliance is configured with a default workflow for each...
  • Page 1696 Chapter 58 Specifying User Preferences Specifying Your Default Dashboard You can specify one of the dashboards on the appliance...
  • Page 1697: Importing and Exporting Configurations A P P E N D I X A Importing and Exporting Configurations You can use the Import/Export feature...
  • Page 1698 Appendix A Importing and Exporting Configurations Exporting Configurations You can export a single configuration, or you can export a...
  • Page 1699Appendix A Importing and Exporting Configurations Exporting Configurations conditions, Security Intelligence, or file policies that include rules that use the...
  • Page 1700 Appendix A Importing and Exporting Configurations Importing Configurations For information on creating a third-party product mapping, see Mapping Third-Party...
  • Page 1701Appendix A Importing and Exporting Configurations Importing Configurations • You must make sure that the appliance where you import a...
  • Page 1702 Appendix A Importing and Exporting Configurations Importing Configurations • Working with Alert Responses, page 15-2 • Using Custom Tables,...
  • Page 1703Appendix A Importing and Exporting Configurations Importing Configurations • If there is a FireSIGHT System or (if applicable) rule update...
  • Page 1704 Appendix A Importing and Exporting Configurations Importing Configurations FireSIGHT System User Guide A-8
  • Page 1705: Purging Discovery Data from the Database A P P E N D I X B Purging Discovery Data from the Database You can use the...
  • Page 1706 Appendix B Purging Discovery Data from the Database FireSIGHT System User Guide B-2
  • Page 1707: Viewing the Status of Long-Running Tasks A P P E N D I X C Viewing the Status of Long-Running Tasks Some tasks that you...
  • Page 1708 Appendix C Viewing the Status of Long-Running Tasks Managing the Task Queue The Jobs section provides information about each...
  • Page 1709Appendix C Viewing the Status of Long-Running Tasks Managing the Task Queue Table C-2 Task Queue Actions (continued) To... You...
  • Page 1710 Appendix C Viewing the Status of Long-Running Tasks Managing the Task Queue FireSIGHT System User Guide C-4
  • Page 1711: Command Line Reference A P P E N D I X D Command Line Reference This reference explains the command line interface...
  • Page 1712 Appendix D Command Line Reference Basic CLI Commands • Basic CLI Commands, page D-2 • Show Commands, page D-5...
  • Page 1713 Appendix D Command Line Reference Basic CLI Commands Syntax end Example configure network ipv4> end > exit Moves the CLI...
  • Page 1714 Appendix D Command Line Reference Basic CLI Commands logout Logs the current user out of the current CLI console...
  • Page 1715Appendix D Command Line Reference Show Commands Example > configure manager add ?? Show Commands Show commands provide information about...
  • Page 1716 Appendix D Command Line Reference Show Commands • NAT, page D-16 • netstat, page D-18 • network, page D-18...
  • Page 1717 Appendix D Command Line Reference Show Commands alarms Displays currently active (failed/down) hardware alarms on the device. This command is...
  • Page 1718 Appendix D Command Line Reference Show Commands Access Basic Syntax show bypass Example > show bypass clustering Displays information...
  • Page 1719 Appendix D Command Line Reference Show Commands For virtual devices and ASA FirePOWER devices, the following values are displayed: •...
  • Page 1720 Appendix D Command Line Reference Show Commands Access Basic processes Displays a list of running database queries. Access Basic...
  • Page 1721 Appendix D Command Line Reference Show Commands Access Basic Syntax show disk Example > show disk disk-manager Displays detailed disk...
  • Page 1722 Appendix D Command Line Reference Show Commands Example > expert fan-status Displays the current status of hardware fans. This...
  • Page 1723 Appendix D Command Line Reference Show Commands hostname Displays the device’s hostname and appliance UUID. Access Basic Syntax show hostname...
  • Page 1724 Appendix D Command Line Reference Show Commands Syntax show inline-sets Example > show inline-sets interfaces If no parameters are...
  • Page 1725 Appendix D Command Line Reference Show Commands link-state Displays type, link, speed, duplex state, and bypass mode of the ports...
  • Page 1726 Appendix D Command Line Reference Show Commands memory Displays the total memory, the memory in use, and the available...
  • Page 1727 Appendix D Command Line Reference Show Commands active-dynamic Displays NAT flows translated according to dynamic rules. These entries are displayed...
  • Page 1728 Appendix D Command Line Reference Show Commands Example > show nat dynamic-rules 9 where allocator_id is a valid allocator...
  • Page 1729 Appendix D Command Line Reference Show Commands Example > show network network-modules Displays all installed modules and information about them,...
  • Page 1730 Appendix D Command Line Reference Show Commands portstats Displays port statistics for all installed ports on the device. This...
  • Page 1731 Appendix D Command Line Reference Show Commands Access Basic Syntax show processes [sort-flag] [filter] where sort-flag can be -m to...
  • Page 1732 Appendix D Command Line Reference Show Commands Access Basic Syntax show serial-number Example > show serial-number stacking Shows the...
  • Page 1733 Appendix D Command Line Reference Show Commands Syntax show time Example > show time traffic-statistics If no parameters are specified,...
  • Page 1734 Appendix D Command Line Reference Show Commands Example > show user jdoe users Applicable to virtual devices only. Displays...
  • Page 1735 Appendix D Command Line Reference Show Commands virtual-routers If no parameters are specified, displays a list of all currently configured...
  • Page 1736 Appendix D Command Line Reference Show Commands Example > show vpn config config by virtual router Displays the configuration...
  • Page 1737 Appendix D Command Line Reference Configuration Commands Example > show vpn counters VRouter1 Configuration Commands The configuration commands enable the...
  • Page 1738 Appendix D Command Line Reference Configuration Commands Syntax configure bypass {open | close} {interface} where interface is the name...
  • Page 1739 Appendix D Command Line Reference Configuration Commands manager The configure manager commands configure the device’s connection to its managing Defense...
  • Page 1740 Appendix D Command Line Reference Configuration Commands Syntax configure mpls-depth {depth} where depth is a number between 0 and...
  • Page 1741 Appendix D Command Line Reference Configuration Commands http-proxy On Series 3 and virtual devices, configures an HTTP proxy. After issuing...
  • Page 1742 Appendix D Command Line Reference Configuration Commands Example > configure network ipv4 dhcp ipv4 manual Manually configures the IPv4...
  • Page 1743 Appendix D Command Line Reference Configuration Commands ipv6 manual Manually configures the IPv6 configuration of the device’s management interface. Syntax...
  • Page 1744 Appendix D Command Line Reference Configuration Commands Use this command when you cannot establish communication with appliances higher in...
  • Page 1745 Appendix D Command Line Reference Configuration Commands aging Forces the expiration of the user’s password. Syntax configure user aging username...
  • Page 1746 Appendix D Command Line Reference Configuration Commands Syntax configure user forcereset username where username specifies the name of the...
  • Page 1747 Appendix D Command Line Reference System Commands Syntax configure user unlock username where username specifies the name of the user....
  • Page 1748 Appendix D Command Line Reference System Commands Syntax system access-control clear-rule-counts Example > system access-control clear-rule-counts rollback Reverts the...
  • Page 1749 Appendix D Command Line Reference System Commands Example > system file copy sfrocks jdoe /pub * delete Removes the...
  • Page 1750 Appendix D Command Line Reference System Commands Syntax system generate-troubleshoot This syntax displays a list of optional parameters to...
  • Page 1751 Appendix D Command Line Reference System Commands Access Configuration Syntax system nat rollback Example > system nat rollback reboot Reboots...
  • Page 1752 Appendix D Command Line Reference System Commands FireSIGHT System User Guide D-42
  • Page 1753: Security, Internet Access, and Communication Ports A P P E N D I X E Security, Internet Access, and Communication Ports To safeguard the Defense...
  • Page 1754 Appendix E Security, Internet Access, and Communication Ports Communication Ports Requirements promote the secondary to Active as described in...
  • Page 1755 Appendix E Security, Internet Access, and Communication Ports Communication Ports Requirements • secure remote connections to an appliance •...
  • Page 1756 Appendix E Security, Internet Access, and Communication Ports Communication Ports Requirements Table E-2 Default Communication Ports for FireSIGHT System...
  • Page 1757 Appendix E Security, Internet Access, and Communication Ports Communication Ports Requirements Table E-2 Default Communication Ports for FireSIGHT System...
  • Page 1758 Appendix E Security, Internet Access, and Communication Ports Communication Ports Requirements FireSIGHT System User Guide E-6
  • Page 1759: Third-Party Products A P P E N D I X F Third-Party Products FireSIGHT System products contain certain third-party open source...
  • Page 1760 Appendix F Third-Party Products FireSIGHT System User Guide F-2
  • Page 1761: End User License Agreement A P P E N D I X G End User License Agreement IMPORTANT: PLEASE READ THIS END USER...
  • Page 1762 Appendix G End User License Agreement THE FOLLOWING TERMS OF THE AGREEMENT GOVERN CUSTOMER'S USE OF THE SOFTWARE (DEFINED...
  • Page 1763Appendix G End User License Agreement (iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable...
  • Page 1764 Appendix G End User License Agreement any other applicable countries' laws and regulations. Customer shall comply with such laws...
  • Page 1765 Appendix G End User License Agreement Restrictions. This warranty does not apply if the Software, Product or any other equipment...
  • Page 1766 Appendix G End User License Agreement SUPPLIERS AND LICENSORS TO CUSTOMER FOR PERSONAL INJURY OR DEATH CAUSED BY THEIR...
  • Page 1767Appendix G End User License Agreement Controlling Law, Jurisdiction. If you acquired, by reference to the address on the purchase...
  • Page 1768 Appendix G End User License Agreement FireSIGHT System User Guide G-8
  • Page 1769: Glossary GLOSSARY 7000 Series A group of Series 3 managed devices. The devices in this series include the 70xx Family...
  • Page 1770 Glossary access-controlled user A user whose network use you can control using access control. You specify the LDAP groups that...
  • Page 1771 Glossary appliance statistics Information you can obtain about an appliance, including uptime, system memory usage, load average, disk usage,...
  • Page 1772 Glossary application type Whether an application is an application protocol, client application, or web application. apply The action you take...
  • Page 1773 Glossary bookmark A saved link to a specific location and time in an event analysis. Bookmarks retain information about...
  • Page 1774 Glossary Cisco Intelligence Feed A collection of regularly updated lists of IP addresses determined by the Cisco VRT to have...
  • Page 1775 Glossary command line interface A restricted text-based interface on Series 3 and virtual devices. The commands that CLI users...
  • Page 1776 Glossary connection log See connection event. connection summary Connection data aggregated over a five-minute interval. The system uses connection summaries...
  • Page 1777 Glossary correlation policy A policy that describes the network activity that constitutes a security policy violation, using correlation rules...
  • Page 1778 Glossary custom user role A user role with specialized access privileges. Custom user roles may have any set of menu-based...
  • Page 1779 Glossary derived fingerprint An operating system fingerprint created by the system from all passively collected fingerprints for a host...
  • Page 1780 Glossary drill-down page An intermediate workflow page used to constrain event views. Generally, a drill-down page presents constraints that you...
  • Page 1781 Glossary Event Streamer See eStreamer. event suppression A feature that allows you to use suppress intrusion events when a...
  • Page 1782 Glossary file capture See captured file. file category A general classification for file types, such as graphics, executables, or archives....
  • Page 1783 Glossary FireAMP Cisco’s enterprise-class, endpoint-based, advanced malware analysis and protection solution that discovers, understands, and blocks malware outbreaks, persistent...
  • Page 1784 Glossary events, file events, and malware events, as well as in host profiles. geolocation database Also called the GeoDB, a...
  • Page 1785 Glossary health policy The criteria used when checking the health of an appliance in your deployment. Health policies use...
  • Page 1786 Glossary host profile Collected information about a specific detected host. This includes general host information, such as its name and...
  • Page 1787 Glossary incident One or more intrusion events that you suspect are involved in a possible violation of your security...
  • Page 1788 Glossary intrusion policy A variety of components that you can configure to inspect your network traffic for intrusions and security...
  • Page 1789 Glossary malware blocking A component of Cisco’s network-based advanced malware protection (AMP) solution. After malware detection yields a malware...
  • Page 1790 Glossary malware storage pack A secondary solid-state drive supplied by Cisco that you can install in certain devices to store...
  • Page 1791 Glossary network discovery See discovery. network discovery policy A policy that specifies the kinds of discovery data (including host,...
  • Page 1792 Glossary operating system identity The operating system vendor and version details for an operating system on a host. packet view...
  • Page 1793 Glossary Normalizing application layer protocol encoding allows the system to effectively apply the same content-related intrusion rules to packets...
  • Page 1794 Glossary remediation instance A set of configurations for a remediation module. You can configure multiple instances per module, for example,...
  • Page 1795 Glossary rule A construct, usually within a policy, that provides criteria against which network traffic is examined. rule action...
  • Page 1796 Glossary Security Intelligence object A single configuration that represents one or more IP addresses, and that you add to an...
  • Page 1797 Glossary server banner The first 256 bytes of the first packet detected for a server, which can provide additional...
  • Page 1798 Glossary snooze period An interval specified in seconds, minutes, or hours after a correlation rule triggers during which the Defense...
  • Page 1799 Glossary SVID See vulnerability ID. switch A network device that acts as a multiport bridge. Using network discovery, the...
  • Page 1800 Glossary threat score A rating of 1-100 assigned to a file as a result of submission to the Collective Security...
  • Page 1801 Glossary URL Filtering license A license that allows you to perform URL filtering based on URL category and URL...
  • Page 1802 Glossary user identity See user. user layer A layer in an intrusion policy where you can modify settings in the...
  • Page 1803 Glossary virtual router A group of routed interfaces that route Layer 3 traffic. In a Layer 3 deployment, you...
  • Page 1804 Glossary vulnerability database Also called the VDB, a database of known vulnerabilities to which hosts may be susceptible. The system...
  • Page 1805 Glossary zone See security zone. FireSIGHT System User Guide GL-45
  • Page 1806 Glossary FireSIGHT System User Guide GL-46
  • Page 1807: Index INDEX access control policies Symbols advanced settings 13-18 %U encoding (HTTP Inspect option) 25-40 applying 13-34 $AIM_SERVERS 5-17 comparing...
  • Page 1808 Index geolocation 14-18 introduction 29-1 inspecting files 14-31 preprocessors 29-2 licensing 14-1 understanding 29-1 logging connections 14-34 add client...
  • Page 1809 Index retrospective malware alerting 15-9 applications 38-38 SNMP alerts 15-4, 21-9, 31-1 application details 38-42 syslog alerts 15-5, 31-4,...
  • Page 1810 Index automatically enabling IPS features 22-10 Bugtraq ID automatic application bypass 6-53 network map 36-7 monitoring 55-11 vulnerability details...
  • Page 1811 Index configuring remediations 41-3 rules in an access control policy 14-39 IOS block 41-5, 41-6, 41-7 rules in an...
  • Page 1812 Index Connection Summary dashboard 3-2 top malware detection 4-25 connection summary page 16-31 top targets 4-19 external responders 16-4...
  • Page 1813 Index high availability 6-11 application detectors 42-17 remediations 41-1 detection list 5-32, 33-3 response groups 39-41 fingerprints 42-7 correlation...
  • Page 1814 Index cvs (rule keyword) 32-79 target-based policy options 25-8 transports 25-5 decoders D decoding packets 17-3, 26-15 dashboards 3-1,...
  • Page 1815 Index switching the active peer 6-35 dispositions, see malware dispositions device groups distance content option (rule keyword) 32-18 adding...
  • Page 1816 Index setting 21-8, 21-30 event breakdown (discovery) 38-4 understanding 21-29 intrusion events 18-2 OS breakdown (discovery) 38-5 protocol breakdown...
  • Page 1817 Index file capture 34-2 files dashboard 3-2 file control file types 33-12 access control 33-5, 33-9 uploading to clean...
  • Page 1818 Index integrating with the system 33-6 blocking 14-18 internet access 33-22 objects 5-38 Sourcefire cloud connections 33-22 overview 47-20...
  • Page 1819 Index editing 55-39 deleting 55-34 understanding 55-38 editing 55-29 health events 55-46 health status monitoring 55-18 field descriptions 55-53...
  • Page 1820 Index built-in host attributes 37-29 host attributes 37-21 creating 37-31 host protocols 37-22 deleting 37-33 identity conflicts 37-13, 37-18...
  • Page 1821 Index NETBIOS name 38-20 HTTPS certificates 51-3 new host (discovery event type) 38-11, 39-10 generating a server certificate request...
  • Page 1822 Index impact levels 18-33 advanced options 7-7 alerting 15-8 creating 7-4 descriptions 18-33 deleting 7-10 impact qualification 37-26 IPS...
  • Page 1823 Index portscan events 28-7 layers 23-1 rate monitoring 55-4, 55-19 managing 20-3 reviewing 18-13 navigation panel 20-8 searching 18-35...
  • Page 1824 Index metadata 32-37 introduction 17-1 parts of a rule 32-2 intrusion event responses 17-7 replacing content 32-25 intrusion events...
  • Page 1825 Index content http_client_body option 32-22 IPopts 32-42 content http_cookie option 32-21 isdataat 32-77 content http_header option 32-21 itype 32-45...
  • Page 1826 Index layer (host profile) 37-22 license types 52-2 layer 2 switches 8-1 Malware 52-6 layer 3 routers 9-1 managing...
  • Page 1827 Index logging out of the appliance 2-4 files dashboard 3-2 login banner 50-20 logging 14-37, 33-15 logos 44-26 network-based...
  • Page 1828 Index metacharacters 32-32 reports 12-10 metadata (rule keyword) 32-38 targets 12-3 Microsoft NAT rules %U encoding (HTTP Inspect option)...
  • Page 1829 Index correlation events 39-50 network layer 17-4, 18-28 correlation policies 39-1 network map correlation policy remediations 41-1 applications 36-6...
  • Page 1830 Index scheduling scans 49-5 resolving conflicts 37-13 setting up 43-9 viewing 37-11 no_alert_large_fragments (RPC decoder) 25-45 order of execution,...
  • Page 1831 Index packets in intrusion rules 32-31 capturing 17-3 metacharacters 32-32 data link layer 17-4 modifier options 32-33 decoding 17-3,...
  • Page 1832 Index changing passwords 58-1 profile conditions (in traffic profiles) 40-9 event preferences 58-3 profiling time window (PTW) 40-1, 40-7...
  • Page 1833 Index registration key 6-6, 6-14 event graphs 18-6 regular expressions, in intrusion rules 32-31 from event views 44-1 remediation...
  • Page 1834 Index risk setting rule state 21-20 applications 38-40 tuning 17-9 in application detectors 42-19 Rules page, intrusion policy 23-3...
  • Page 1835 Index Nmap scans 49-5 white lists 27-31 recurring tasks 49-2 white list violations 27-36 reports 49-8 wildcards 45-4 software...
  • Page 1836 Index monitoring application protocols 28-25 configuring 48-64 predefined data types 28-22 sip_body (rule keyword) 32-59 seq (rule keyword) 32-49...
  • Page 1837 Index bypass mode 7-4 traffic handling 6-43 configuring interfaces 7-10 standard rules (access control) 13-23 deploying inline 13-34 standard...
  • Page 1838 Index in the packet view 18-26 custom login banner 50-20 introduction 21-22 dashboard settings 50-13 switched interfaces 8-1 database...
  • Page 1839 Index managing C-2 thresholding viewing C-1 global rule 30-1 TCP 17-4 global rule (configuring) 30-3 experimental options 26-16 global...
  • Page 1840 Index configuring 47-23 UDP port closed (discovery event type) 39-10 Context Explorer 4-33 UDP port timeout (discovery event type)...
  • Page 1841 Index deleting 48-54 login types 38-55 editing 48-52 user qualification 39-30 externally authenticated user accounts 48-45 user identity events...
  • Page 1842 Index variable sets 5-16 VLAN packets (decoded) 17-4 custom 5-16 VLANs default set 5-17 host profiles 37-20 linking to...
  • Page 1843 Index misidentified 42-3 allow jailbreaking 27-8, 27-10 network map 36-7 application protocols 27-15 searching 38-50 basic information 27-10 third-party...
  • Page 1844 Index availability 3-4 editing 47-43 correlation events 3-9 introduction 47-1 current sessions 3-10 intrusion events 18-14 custom analysis 3-11...
downloadlike
ArtboardArtboardArtboard
Report Bug