Cisco Cisco Firepower Management Center 4000
39-29
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
In this example, the system detected the BitTorrent TCP application protocol on two different hosts: Host
1 and Host 2. These two hosts transmitted data via BitTorrent to four other hosts: Host A, Host B, Host
C, and Host D.
1 and Host 2. These two hosts transmitted data via BitTorrent to four other hosts: Host A, Host B, Host
C, and Host D.
This connection tracker is processed in the following stages:
Step 1
The system starts tracking connections at the 0-second marker when the system detects the BitTorrent
application protocol on Host 1.
application protocol on Host 1.
Note that the connection tracker will expire if the system does not detect 7MB of BitTorrent TCP data
being transmitted in the next 5 minutes (by the 300-second marker).
being transmitted in the next 5 minutes (by the 300-second marker).
Step 2
At 5 seconds, Host 1 has transmitted 3MB of data that matches the signature:
•
1MB from Host 1 to Host A, at the 1-second marker (1MB total BitTorrent traffic counted towards
fulfilling the connection tracker)
fulfilling the connection tracker)
•
2MB from Host 1 to Host B, at the 5-second marker (3MB total)
Step 3
At 7 seconds, the system detects the BitTorrent application protocol on Host 2 and starts tracking
BitTorrent connections for that host as well.
BitTorrent connections for that host as well.