Cisco Cisco FirePOWER Appliance 7120
39-21
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Tip
Connection trackers typically monitor very specific traffic and, when triggered, run only for a finite,
specified time. Compare connection trackers with traffic profiles, which typically monitor a broad range
of network traffic and run persistently; see
specified time. Compare connection trackers with traffic profiles, which typically monitor a broad range
of network traffic and run persistently; see
There are two ways a connection tracker can generate an event, depending on how you construct the
tracker:
tracker:
Connection Trackers That Fire Immediately When Conditions Are Met
You can configure a connection tracker so that the correlation rule fires as soon as network traffic meets
the tracker’s conditions. When this happens, the system stops tracking connections for this connection
tracker instance, even if the timeout period has not expired. If the same type of policy violation that
triggered the correlation rule occurs again, the system creates a new connection tracker.
the tracker’s conditions. When this happens, the system stops tracking connections for this connection
tracker instance, even if the timeout period has not expired. If the same type of policy violation that
triggered the correlation rule occurs again, the system creates a new connection tracker.
If, on the other hand time expires before network traffic meets the conditions in the connection tracker,
the Defense Center does not generate a correlation event, and also stops tracking connections for that
rule instance.
the Defense Center does not generate a correlation event, and also stops tracking connections for that
rule instance.
For example, a connection tracker can serve as a kind of event threshold by generating a correlation event
only if a certain type of connection occurs more than a specific number of times within a specific time
period. Or, you can generate a correlation event only if the system detects excessive data transfer after
an initial connection.
only if a certain type of connection occurs more than a specific number of times within a specific time
period. Or, you can generate a correlation event only if the system detects excessive data transfer after
an initial connection.
Connection Trackers That Fire at The End of The Timeout Period
You can configure a connection tracker so that it relies on data collected over the entire timeout period,
and therefore cannot fire until the end of the timeout period.
and therefore cannot fire until the end of the timeout period.
For example, if you configure a connection tracker to fire if you detect fewer than a certain number of
bytes being transferred during a certain time period, the system waits until that time period passes and
then generates an event if network traffic met that condition.
bytes being transferred during a certain time period, the system waits until that time period passes and
then generates an event if network traffic met that condition.
For more information, see the following sections:
•
•
•
•
•
Adding a Connection Tracker
License:
FireSIGHT
A connection tracker constrains a correlation rule so that after its initial criteria are met (including host
profile and user qualifications), the system begins tracking certain connections. The Defense Center
generates a correlation event for the rule if the tracked connections meet additional criteria gathered over
a time period that you specify.
profile and user qualifications), the system begins tracking certain connections. The Defense Center
generates a correlation event for the rule if the tracked connections meet additional criteria gathered over
a time period that you specify.
When you configure a connection tracker, you must specify:
•
which connections you want to track
•
the conditions that the connections you are tracking must meet for the Defense Center to generate a
correlation event
correlation event