Cisco Cisco Firepower Management Center 4000
28-27
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Sensitive Data
In the special case of detecting sensitive data in FTP traffic, specifying the
FTP data
application
protocol does not invoke detection; instead, it invokes the rapid processing of the FTP/Telnet
processor to detect sensitive data in FTP traffic. See
processor to detect sensitive data in FTP traffic. See
for more information.
•
Ensure that the FTP Data detector, which is enabled by default, is enabled.
See
.
•
Ensure that your configuration includes at least one port to monitor for sensitive data.
Note that it is not necessary to specify an FTP port except in the unlikely case where you only want
to detect sensitive data in FTP traffic. Most sensitive data configurations will include other ports
such as HTTP or email ports. In the case where you do want to specify only one FTP port and no
other ports to monitor, Cisco recommends that you specify the FTP command port
to detect sensitive data in FTP traffic. Most sensitive data configurations will include other ports
such as HTTP or email ports. In the case where you do want to specify only one FTP port and no
other ports to monitor, Cisco recommends that you specify the FTP command port
23
. See
or more information.
Using Custom Data Types
License:
Protection
You can create and modify custom data types to detect data patterns that you specify. For example, a
hospital might create a data type to protect patient numbers, or a university might create a data type to
detect student numbers that have a unique numbering pattern.
hospital might create a data type to protect patient numbers, or a university might create a data type to
detect student numbers that have a unique numbering pattern.
Each custom date type you create also creates a single sensitive data preprocessor rule that has a
generator ID (GID) of 138 and a Snort ID of 1000000 or greater, that is, a SID for a local rule. You must
enable the associated sensitive data rule to enable detection, and event generation, for each custom data
type you want to use in your policy. See
generator ID (GID) of 138 and a Snort ID of 1000000 or greater, that is, a SID for a local rule. You must
enable the associated sensitive data rule to enable detection, and event generation, for each custom data
type you want to use in your policy. See
for information on enabling
rules in an intrusion policy.
To help you enable sensitive data rules, a link on the configuration page takes you to a filtered view of
the Rules page that displays all predefined and custom sensitive data rules. You can also display only
custom sensitive data rules by selecting the local rule filtering category on the Rules page. See
the Rules page that displays all predefined and custom sensitive data rules. You can also display only
custom sensitive data rules by selecting the local rule filtering category on the Rules page. See
for more information. Note that custom sensitive data rules are
not listed on the Rule Editor page.
Custom data types you create are added to all intrusion policies. You must enable the associated sensitive
data rule in any policy that you want to use to detect and generate events for a particular custom data
type.
data rule in any policy that you want to use to detect and generate events for a particular custom data
type.
Note that you must use the Sensitive Data Detection configuration page to create data types and their
associated rules. You cannot use the rule editor to create sensitive data rules.
associated rules. You cannot use the rule editor to create sensitive data rules.
See the following sections for more information:
•
•
•
Defining Data Patterns in Custom Data Types
License:
Protection
You define the data pattern for a custom data type using a simple set of regular expressions comprised
of the following:
of the following:
•
three metacharacters