Cisco Cisco Firepower Management Center 2000
39-15
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Syntax for Traffic Profile Changes
License:
Any
If you base your correlation rule on a traffic profile change, the rule triggers when network traffic
deviates from your normal network traffic pattern as characterized in an existing traffic profile. For
information on how to build a traffic profile, see
deviates from your normal network traffic pattern as characterized in an existing traffic profile. For
information on how to build a traffic profile, see
You can trigger the rule based on either raw data or on the statistics calculated from the data. For
example, you could write a rule that triggers if the amount of data traversing your network (measured in
bytes) suddenly spikes, which could indicate an attack or other security policy violation. You could
specify that the rule trigger if either:
example, you could write a rule that triggers if the amount of data traversing your network (measured in
bytes) suddenly spikes, which could indicate an attack or other security policy violation. You could
specify that the rule trigger if either:
•
the number of bytes traversing your network spikes above a certain number of standard deviations
above or below the mean amount of traffic
above or below the mean amount of traffic
Note that to create a rule that triggers when the number of bytes traversing your network falls outside
a certain number of standard deviations (whether above or below), you must specify upper and lower
bounds, as shown in the following graphic.
a certain number of standard deviations (whether above or below), you must specify upper and lower
bounds, as shown in the following graphic.
Initiator Packets,
Responder Packets, or
Total Packets
Type one of:
•
the number of packets transmitted (
Initiator Packets
).
•
the number of packets received (
Responder Packets
).
•
the number of packets both transmitted and received (
Total Packets
)
Initiator Port/ICMP Type or
Responder Port/ICMP Code
Responder Port/ICMP Code
Type the port number or ICMP type for initiator traffic or the port number or ICMP code for
responder traffic.
responder traffic.
IOC Tag
Select whether an IOC tag
is
or
is not
set as a result of the connection event.
NETBIOS Name
Type the NetBIOS name of the monitored host in the connection.
NetFlow Device
Select the IP address of the NetFlow-enabled device that exported the connection data you
want to use to trigger the correlation rule. If you did not add any NetFlow-enabled devices
to your deployment, the NetFlow Device drop-down list is blank.
want to use to trigger the correlation rule. If you did not add any NetFlow-enabled devices
to your deployment, the NetFlow Device drop-down list is blank.
Reason
Select one or more reasons associated with the connection event.
TCP Flags
Select a TCP flag that a connection event must contain in order to trigger the correlation
rule.
rule.
Note
Only connection data exported by NetFlow-enabled devices contain TCP flags.
Transport Protocol
Type the transport protocol used by the connection:
TCP
or
UDP
.
URL
Type all or part of the URL visited in the connection.
URL Category
Select one or more URL categories for the URL visited in the connection.
URL Reputation
Select one or more URL reputation values for the URL visited in the connection.
Username
Type the username of the user logged into either host in the connection.
Web Application
Select one or more web applications associated with the connection.
Web Application Category
Select one or more category of web application.
Table 39-9
Syntax for Connection Events (continued)
If you specify...
Select an operator, then...