Cisco Cisco FirePOWER Appliance 7010
40-11
FireSIGHT System User Guide
Chapter 40 Creating Traffic Profiles
Understanding Condition-Building Mechanics
•
•
•
Building a Single Condition
License:
FireSIGHT
Most conditions have three parts: a category, an operator, and a value. Some conditions are more
complex and contain several categories, each of which may have their own operators and values.
complex and contain several categories, each of which may have their own operators and values.
For example, the following traffic profile collects information on the 10.4.x.x network. The category of
the condition is
the condition is
Initiator/Responder IP
, the operator is
is in
, and the value is
10.4.0.0/16
.
The following steps explain how to build this traffic profile condition.
To build a single condition:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Correlation
, then click
Traffic Profiles
.
The Traffic Profiles page appears.
Step 2
Click
New Profile
.
The Create Profile page appears.
Step 3
Under
Profile Conditions
, begin building the profile’s single condition by selecting
Initiator/Responder IP
from the first (category) drop-down list.
Step 4
Select
is in
from the second (operator) drop-down list.
Tip
When the category represents an IP address, choosing
is in
or
is not in
as the operator allows you to specify
whether the IP address is in or is not in a range of IP addresses, as expressed in CIDR notation. For
information on using CIDR notation in the FireSIGHT System, see
information on using CIDR notation in the FireSIGHT System, see
.
Step 5
Type
10.4.0.0/16
in the text field.
In contrast, the following host profile qualification is more complex; it constrains a traffic profile such
that it collects connection data only if the responding host in the detected connection is running a version
of Microsoft Windows.
that it collects connection data only if the responding host in the detected connection is running a version
of Microsoft Windows.