Cisco Cisco Firepower Management Center 4000
25-73
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Using the SSL Preprocessor
To base identification of encrypted traffic only on server traffic, you can enable the
Server side data is
trusted
option; that is, server side data is trusted to indicate that the traffic is encrypted. The SSL
preprocessor typically checks both client traffic and the server responses to that traffic to determine if a
session is encrypted. However, because the system may not mark a transaction as encrypted if it cannot
detect both sides of a session, you can rely on the SSL server to indicate a session is encrypted. Note that
when you enable the
session is encrypted. However, because the system may not mark a transaction as encrypted if it cannot
detect both sides of a session, you can rely on the SSL server to indicate a session is encrypted. Note that
when you enable the
Server side data is trusted
option you must also enable the
Stop inspecting encrypted
traffic
option so the system does not continue inspecting traffic in the encrypted session.
You can specify the ports where the preprocessor monitors traffic for encrypted sessions.
Note
If the SSL preprocessor detects non-SSL traffic over the ports specified for SSL monitoring, it tries to
decode the traffic as SSL traffic, and then flags it as corrupt.
decode the traffic as SSL traffic, and then flags it as corrupt.
To configure the SSL preprocessor:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
SSL Configuration
under Application Layer Preprocessors is
enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The SSL Configuration page appears. A message at the bottom of the page identifies the intrusion policy
layer that contains the configuration. See
layer that contains the configuration. See
for more
information.
Step 5
Type the ports, separated by commas, where the SSL preprocessor should monitor traffic for encrypted
sessions. Only ports included in the
sessions. Only ports included in the
Ports
field will be checked for encrypted traffic.
Step 6
Click the
Stop inspecting encrypted traffic
check box to enable or disable inspection of traffic in a session
after the session is marked as encrypted.
Step 7
Click the
Server side data is trusted
check box to enable or disable identification of encrypted traffic based
only on the client-side traffic.
Step 8
Optionally, click
Configure Rules for SSL Configuration
at the top of the page to display rules associated with
individual options.
Click
Back
to return to the SSH Configuration page.