Cisco Cisco FirePOWER Appliance 7030
25-71
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Using the SSL Preprocessor
•
The SSL preprocessor requires TCP stream preprocessing. If TCP stream preprocessing is disabled
and you enable the SSL preprocessor, you are prompted when you save the policy whether to enable
TCP stream preprocessing. See
and you enable the SSL preprocessor, you are prompted when you save the policy whether to enable
TCP stream preprocessing. See
and
for more information.
•
When an intrusion rule that requires this preprocessor is enabled in an intrusion policy where the
preprocessor is disabled, you must enable the preprocessor or choose to allow the system to enable
it automatically before you can save the policy. For more information, see
preprocessor is disabled, you must enable the preprocessor or choose to allow the system to enable
it automatically before you can save the policy. For more information, see
For more information, see the following sections:
•
•
•
Understanding SSL Preprocessing
License:
Protection
The SSL preprocessor stops inspection of encrypted data, which can help to eliminate false positives.
The SSL preprocessor maintains state information as it inspects the SSL handshake, tracking both the
state and SSL version for that session. When the preprocessor detects that a session state is encrypted,
the system marks the traffic in that session as encrypted. You can configure the system to stop processing
on all packets in an encrypted session when encryption is established.
The SSL preprocessor maintains state information as it inspects the SSL handshake, tracking both the
state and SSL version for that session. When the preprocessor detects that a session state is encrypted,
the system marks the traffic in that session as encrypted. You can configure the system to stop processing
on all packets in an encrypted session when encryption is established.
For each packet, the SSL preprocessor verifies that the traffic contains an IP header, a TCP header, and
a TCP payload, and that it occurs on the ports specified for SSL preprocessing. For qualifying traffic,
the following scenarios determine whether the traffic is encrypted:
a TCP payload, and that it occurs on the ports specified for SSL preprocessing. For qualifying traffic,
the following scenarios determine whether the traffic is encrypted:
•
the system observes all packets in a session,
Server side data is trusted
is not enabled, and the session
includes a Finished message from both the server and the client and at least one packet from each
side with an Application record and without an Alert record
side with an Application record and without an Alert record
•
the system misses some of the traffic,
Server side data is trusted
is not enabled, and the session includes
at least one packet from each side with an Application record that is not answered with an Alert
record
record