Cisco Cisco Firepower Management Center 4000

Page of 1844
 
25-72
FireSIGHT System User Guide
 
Chapter 25      Using Application Layer Preprocessors 
  Using the SSL Preprocessor
  •
the system observes all packets in a session, 
Server side data is trusted
 is enabled, and the session 
includes a Finished message from the client and at least one packet from the client with an 
Application record and without an Alert record
  •
the system misses some of the traffic, 
Server side data is trusted
 is enabled, and the session includes 
at least one packet from the client with an Application record that is not answered with an Alert 
record
If you choose to stop processing on encrypted traffic, the system ignores future packets in a session after 
it marks the session as encrypted.
Note
You can add the 
ssl_state
 and 
ssl_version
 keywords to a rule to use SSL state or version information 
within the rule. For more information, see 
. Note 
that the SSL preprocessor must be enabled to allow processing of rules that contain SSL keywords.
Enabling SSL Preprocessor Rules
License: 
Protection
When enabled, the SSL preprocessor inspects the contents of the handshake and key exchange messages 
exchanged at the beginning of an SSL session.
Note that you must enable SSL preprocessor rules, which have a generator ID (GID) of 137, if you want 
these rules to generate events. A link on the configuration page takes you to a filtered view of SSL 
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and 
configure other rule actions. See 
 for more information.
The following table describes the SSL preprocessor rules you can enable.
Configuring the SSL Preprocessor
License: 
Protection
By default, the system attempts to inspect encrypted traffic. When you enable the SSL preprocessor, it 
detects when a session becomes encrypted. After the SSL preprocessor is enabled, the rules engine can 
invoke the preprocessor to obtain SSL state and version information. If you enable rules using the 
ssl_state
 and 
ssl_version
 keywords in an intrusion policy, you should also enable the SSL 
preprocessor in that policy.
In addition, you can enable the 
Stop inspecting encrypted traffic
 option to disable inspection and reassembly 
for encrypted sessions. The SSL preprocessor maintains state for the session so it can disable inspection 
of all traffic in the session. The system only stops inspecting traffic in encrypted sessions if SSL 
preprocessing is enabled and the 
Stop inspecting encrypted traffic
 option is selected. 
Table 25-12
SSL Preprocessor Rules 
Preprocessor Rule 
GID:SID
Description
137:1
Detects a client hello after a server hello, which is invalid and considered to be 
anomalous behavior.
137:2
Detects a server hello without a client hello when 
Server side data is trusted
 is 
disabled, which is invalid and considered to be anomalous behavior. See 
 for more information.