Cisco Cisco Firepower Management Center 4000
16-8
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
IOC
Whether or not the event triggered an indication of compromise (IOC) against a host involved in the
connection. For more information on IOC, see
connection. For more information on IOC, see
NetBIOS Domain
The NetBIOS domain used in the session.
NetFlow Destination/Source Autonomous System
For connections exported by NetFlow-enabled devices, the border gateway protocol autonomous
system number for the source or destination of traffic in the connection.
system number for the source or destination of traffic in the connection.
NetFlow Destination/Source Prefix
For connections exported by NetFlow-enabled devices, the source or destination IP address ANDed
with the source or destination prefix mask.
with the source or destination prefix mask.
NetFlow Destination/Source TOS
For connections exported by NetFlow-enabled devices, the setting for the type-of-service (TOS)
byte when connection traffic entered or exited the NetFlow-enabled device.
byte when connection traffic entered or exited the NetFlow-enabled device.
NetFlow SNMP Input/Output
For connections exported by NetFlow-enabled devices, the interface index for the interface where
connection traffic entered or exited the NetFlow-enabled device.
connection traffic entered or exited the NetFlow-enabled device.
Reason
The reason or reasons the connection was logged, in the following situations:
–
User Bypass
indicates that the system initially blocked a user’s HTTP request, but the user
chose to continue to the originally requested site by clicking through a warning page. A reason
of
of
User Bypass
is always paired with an action of
Allow
.
–
IP Block
indicates that the system denied the connection without inspection, based on Security
Intelligence data. A reason of
IP Block
is always paired with an action of
Block
.
–
IP Monitor
indicates that the system would have denied the connection based on Security
Intelligence data, but you configured the system to monitor, rather than deny, the connection.
–
File Monitor
indicates that the system detected a particular type of file in the connection.
–
File Block
indicates the connection contained a file or malware file that the system prevented
from being transmitted. A reason of
File Block
is always paired with an action of
Block
.
–
File Custom Detection
indicates the connection contained a file on the custom detection list
that the system prevented from being transmitted.
–
File Resume Allow
indicates that file transmission was originally blocked by a Block Files or
Block Malware file rule. After a new access control policy was applied that allowed the file, the
HTTP session automatically resumed.
HTTP session automatically resumed.
–
File Resume Block
indicates that file transmission was originally allowed by a Detect Files or
Malware Cloud Lookup file rule. After a new access control policy was applied that blocked the
file, the HTTP session automatically stopped.
file, the HTTP session automatically stopped.
–
Intrusion Block
indicates the system blocked or would have blocked an exploit (intrusion
policy violation) detected in the connection. A reason of
Intrusion Block
is paired with an
action of
Block
for blocked exploits and
Allow
for would-have-blocked exploits.