Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1542
Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Chapter 36
the IP or MAC address of the host, the client name, type, or version, and the
device that detected the event.
Syntax for Discovery Events
I
F
YOU
SPECIFY
...
S
ELECT
AN
OPERATOR
,
THEN
...
Application Protocol
Select one or more application protocols.
Application Protocol
Category
Select one or more category of application protocol.
Application Port
Type the application protocol port number.
Client
Select one or more clients.
Client Category
Select one or more category of client.
Client Version
Type the version number of the client.
Device
Select one or more devices that may have generated the discovery event.
Hardware
Type the hardware model for the mobile device. For example, to match all
Apple iPhones, type
iPhone
.
Host Type
Select one or more host types from the drop-down list. You can choose
between a host or one of several types of network device.
IP Address or
New IP Address
Type a single IP address or address block. For information on using IP address
notation in the Sourcefire 3D System, see
Jailbroken
Select Yes to indicate that the host in the event is a jailbroken mobile device or
No to indicate that it is not.
MAC Address
Type all or part of the MAC address of the host.
For example, if you know that devices from a certain hardware manufacturer
For example, if you know that devices from a certain hardware manufacturer
have MAC addresses that begin with 0A:12:34, you could choose begins with
as the operator, then type
0A:12:34
as the value.
MAC Type
Select whether the MAC address was ARP/DHCP Detected.
That is, select whether the system positively identified the MAC address as
That is, select whether the system positively identified the MAC address as
belonging to the host (is ARP/DHCP Detected), or whether the system is seeing
many hosts with that MAC address because, for example, there is a router
between the managed device and the host (is not ARP/DHCP Detected).
MAC Vendor
Type all or part of the name of the MAC hardware vendor of the NIC used by
the network traffic that triggered the discovery event.