Cisco Cisco Firepower Management Center 4000
39-37
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
In contrast, the following rule, which detects SSH activity on a non-standard port on the 10.4.x.x
network and the 192.168.x.x network, has four conditions, with the bottom two constituting a complex
condition.
network and the 192.168.x.x network, has four conditions, with the bottom two constituting a complex
condition.
This rule triggers if SSH is detected on a non-standard port; the first two conditions demand that the
application protocol name is SSH and the port is not 22. The rule further requires that the IP address of
the host involved in the event is in either the 10.4.x.x network or the 192.168.x.x network.
application protocol name is SSH and the port is not 22. The rule further requires that the IP address of
the host involved in the event is in either the 10.4.x.x network or the 192.168.x.x network.
Logically, the rule is evaluated as follows:
(A and B and (C or D))
To add a single condition:
Access:
Admin/Discovery Admin
Step 1
To add a single condition, click
Add condition
above the current condition.
A new condition is added below the current set of conditions, on the same level as the current set of
conditions. By default, it is linked to the conditions on the same level with the
conditions. By default, it is linked to the conditions on the same level with the
OR
operator, though you
can change the operator to
AND
.
For example, if you add a simple condition to the following rule:
Table 39-15
Rule Evaluation
Where...
Is the condition that states...
A
Application Protocol is SSH
B
Application Port is not 22
C
IP Address is in 10.4.0.0/8
D
IP Address is in 196.168.0.0/16