Cisco Cisco Firepower Management Center 4000

In this example, the system detected a connection that met the basic conditions of the correlation rule, 
that is, the system detected a connection from a host outside the 10.1.0.0/16 network to a host inside the 
network. This created a connection tracker.

The system starts tracking connections when it detects a connection from Host A outside the network to 
Host 1 inside the network.

The system detects two more connections that match the connection tracker signature: Host B to Host 2 
and Host C to Host 1.

The system detects a fourth qualifying connection when Host A connects to Host 3 within the 
two-minute time limit. The rule conditions are met.

The Defense Center generates a correlation event and the system stops tracking connections.

Consider a scenario where you want to generate a correlation event if the system detects excessive 
BitTorrent data transfers after an initial connection to any host on your monitored network.

The following graphic shows a correlation rule that triggers when the system detects the BitTorrent 
application protocol on your monitored network. The rule has a connection tracker that constrains the 
rule so that the rule triggers only if hosts on your monitored network (in this example, 10.1.0.0/16) 
collectively transfer more than 7MB of data (7340032 bytes) via BitTorrent in the five minutes following 
the initial policy violation.