Cisco Cisco Firepower Management Center 4000
14-37
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Logging Connection, File, and Malware Information
Tip
Even though the rule action in the connection log can never be
Monitor
, you can still trigger correlation
policy violations on connections that match Monitor rules. For more information, see
.
Logging File and Malware Events
When a file policy associated with an access control rule generates a file or malware event, the rule’s
logging configuration determines whether that event is logged to the database. This setting is
automatically enabled, although you can disable it.
logging configuration determines whether that event is logged to the database. This setting is
automatically enabled, although you can disable it.
File policies can generate the following types of event:
•
file events, which represent detected or blocked files, including malware files
•
malware events, which represent the detection or blocking of malware in files evaluated by Malware
Cloud Lookup or Block Malware rules
Cloud Lookup or Block Malware rules
•
retrospective malware events, which are generated when the malware disposition for a previously
detected file changes
detected file changes
When a file policy generates a file or malware event, the system automatically logs the end of the
associated connection to the Defense Center database, regardless of the logging configuration of the
invoking access control rule.
associated connection to the Defense Center database, regardless of the logging configuration of the
invoking access control rule.
For more information on performing file inspection, see
and
.
Logging Connections Associated with File and Malware Events
Each connection event logged to the Defense Center database can include and display information on
the files detected or blocked in a connection. When a file policy generates a file or malware event, the
system automatically logs the end of the associated connection to the Defense Center database,
regardless of the logging configuration of the invoking access control rule. You cannot disable this
connection logging.
the files detected or blocked in a connection. When a file policy generates a file or malware event, the
system automatically logs the end of the associated connection to the Defense Center database,
regardless of the logging configuration of the invoking access control rule. You cannot disable this
connection logging.
Note
File events generated by inspecting NetBIOS-ssn (SMB) traffic do not immediately generate connection
events because the client and server establish a persistent connection. The system generates connection
events after the client or server ends the session.
events because the client and server establish a persistent connection. The system generates connection
events after the client or server ends the session.
For connections where a file was blocked, the associated action in the connection log is
Block
even
though you associated the file policy with an Allow rule. The connection’s reason is either
File Monitor
(a file type or malware was detected), or
Malware Block
or
File Block
(a file was blocked).
Logging Connections Associated with Intrusions
Each connection event logged to the Defense Center database can include and display information on
the intrusions detected or blocked in a connection. When an intrusion policy associated with an access
control rule generates an intrusion event, the system automatically logs the end of the associated
connection to the Defense Center database, regardless of the logging configuration of the rule.
the intrusions detected or blocked in a connection. When an intrusion policy associated with an access
control rule generates an intrusion event, the system automatically logs the end of the associated
connection to the Defense Center database, regardless of the logging configuration of the rule.
Tip
To disable this connection logging on virtual appliances, use the CLI; see
.