Cisco Cisco FirePOWER Appliance 7020
39-7
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Tip
You can nest rules that share the base event type you specified in step
. For example, if you create a
new rule based on the detection of an open TCP port, the trigger criteria for the new rule could include
rule “MyDoom Worm” is true
and
rule “Kazaa (TCP) P2P” is true
.
Step 3
Optionally, continue with the procedures in the following sections:
•
•
•
•
If you are finished building the correlation rule, continue with step
of the procedure in
to save the rule.
Syntax for Intrusion Events
License:
Protection
The following table describes how to build a correlation rule condition when you choose an intrusion
event as the base event.
event as the base event.
Table 39-2
Syntax for Intrusion Events
If you specify...
Select an operator, then...
Access Control Policy
Select one or more access control policies that use the intrusion policy that generated the
intrusion event.
intrusion event.
Access Control Rule Name
Type all or part of the name of the access control rule that uses the intrusion policy that
generated the intrusion event.
generated the intrusion event.
Application Protocol
Select one or more application protocols associated with the intrusion event.
Application Protocol Category
Select one or more category of application protocol.
Classification
Select one or more classifications.
Client
Select one or more clients associated with the intrusion event.
Client Category
Select one or more category of client.
Destination IP, Source IP, or
Source/Destination IP
Specify a single IP address, an address block, or a comma-separated list comprised of any
of these. For information on using IP address notation and prefix lengths in the FireSIGHT
System, see
of these. For information on using IP address notation and prefix lengths in the FireSIGHT
System, see
Note that you cannot enter a comma-separated list if you select
is in
or
is not in
as the operator
for the condition.
Destination Port/ICMP Code or
Source Port/ICMP Type
Source Port/ICMP Type
Type the port number or ICMP type for source traffic or the port number or ICMP type for
destination traffic.
destination traffic.
Device
Select one or more devices that may have generated the event.
Egress Interface or
Ingress Interface
Select one or more interfaces.
Egress Security Zone or
Ingress Security Zone
Ingress Security Zone
Select one or more security zones.