Cisco Cisco Firepower Management Center 4000
39-23
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
You should keep in mind that connections detected by Cisco managed devices and connection data
exported by NetFlow-enabled devices contain different information. For example, connections detected
by managed devices do not contain TCP flag information. Therefore, if you want to specify that a
connection event have a certain TCP flag to trigger a correlation rule, none of the connections detected
by managed devices will trigger the rule.
exported by NetFlow-enabled devices contain different information. For example, connections detected
by managed devices do not contain TCP flag information. Therefore, if you want to specify that a
connection event have a certain TCP flag to trigger a correlation rule, none of the connections detected
by managed devices will trigger the rule.
As another example, NetFlow records do not contain information about which host in the connection is
the initiator and which is the responder. When the system processes NetFlow records, it uses an
algorithm to determine this information based on the ports each host is using, and whether those ports
are well-known. For more information, see
the initiator and which is the responder. When the system processes NetFlow records, it uses an
algorithm to determine this information based on the ports each host is using, and whether those ports
are well-known. For more information, see
Table 39-12
Syntax for Connection Trackers
If you specify...
Select an operator, then...
Access Control Policy
Select one or more access control policies that logged the connections you want to track.
Access Control Rule Action
Select one or more access control rule actions associated with the access control rule that
logged the connections you want to track.
logged the connections you want to track.
Note
Select
Monitor
to track connections that match the conditions of any Monitor rule,
regardless of the rule or default action that later handles the connections.
Access Control Rule Name
Type all or part of the name of the access control rule that logged the connections you want
to track.
to track.
Note
To track connections that match Monitor rules, type the name of the Monitor rule.
The system tracks the connections, regardless of the rule or default action that later
handles them.
The system tracks the connections, regardless of the rule or default action that later
handles them.
Application Protocol
Select one or more application protocols.
Application Protocol Category
Select one or more application protocol categories.
Client
Select one or more clients.
Client Category
Select one or more client categories.
Client Version
Type the version of the client.
Connection Duration
Type the connection duration, in seconds.
Connection Type
Select whether you want to track connections based on how they were detected: by a Cisco
managed device (
managed device (
FireSIGHT) or exported by a NetFlow-enabled device (
NetFlow
).
Device
Select one or more devices whose detected connections you want to track. If you want to
track NetFlow connections, select the devices that process the connection data exported by
your NetFlow-enabled devices.
track NetFlow connections, select the devices that process the connection data exported by
your NetFlow-enabled devices.
Ingress Interface or
Egress Interface
Select one or more interfaces.
Ingress Security Zone or
Egress Security Zone
Select one or more security zones.
Initiator IP,
Responder IP, or
Initiator/Responder IP
Type a single IP address or address block. For information on using IP address notation in
the FireSIGHT System, see
the FireSIGHT System, see
.