Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1539
Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Chapter 36
The
table describes how to build a correlation rule
condition when you choose a malware event as the base event.
Syntax for Malware Events
I
F
YOU
SPECIFY
...
S
ELECT
AN
OPERATOR
,
THEN
...
Application Protocol
Select one or more application protocols associated with the malware event.
Application Protocol
Category
Select one or more category of application protocol.
Client
Select one or more clients associated with the malware event.
Client Category
Select one or more category of client.
Destination IP, Host
IP, or Source IP
Specify a single IP address or address block. For information on using IP
address notation in the Sourcefire 3D System, see
Destination Port/
ICMP Code
Type the port number or ICMP code for destination traffic.
Disposition
Select either or both
Malware
or
Custom Detection
.
Event Type
Select one or more endpoint-based event types associated with the malware
event. For more information, see
File Name
Type the name of the file.
File Type
Select the type of file, for example,
PDF
or
MSEXE.
File Type Category
Select one or more file type categories, for example,
Office Documents
or
Executables
.
IOC Tag
Select whether an IOC tag
is
or
is not
set as a result of the malware event.
SHA-256
Type or paste the SHA-256 hash value of the file.
Source Port/ICMP
Type
Type the port number or ICMP type for source traffic.
Web Application
Select one or more web applications associated with the malware event.
Web Application
Category
Select one or more category of web application.