Cisco Cisco Firepower Management Center 2000
25-72
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Using the SSL Preprocessor
•
the system observes all packets in a session,
Server side data is trusted
is enabled, and the session
includes a Finished message from the client and at least one packet from the client with an
Application record and without an Alert record
Application record and without an Alert record
•
the system misses some of the traffic,
Server side data is trusted
is enabled, and the session includes
at least one packet from the client with an Application record that is not answered with an Alert
record
record
If you choose to stop processing on encrypted traffic, the system ignores future packets in a session after
it marks the session as encrypted.
it marks the session as encrypted.
Note
You can add the
ssl_state
and
ssl_version
keywords to a rule to use SSL state or version information
within the rule. For more information, see
. Note
that the SSL preprocessor must be enabled to allow processing of rules that contain SSL keywords.
Enabling SSL Preprocessor Rules
License:
Protection
When enabled, the SSL preprocessor inspects the contents of the handshake and key exchange messages
exchanged at the beginning of an SSL session.
exchanged at the beginning of an SSL session.
Note that you must enable SSL preprocessor rules, which have a generator ID (GID) of 137, if you want
these rules to generate events. A link on the configuration page takes you to a filtered view of SSL
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
these rules to generate events. A link on the configuration page takes you to a filtered view of SSL
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
for more information.
The following table describes the SSL preprocessor rules you can enable.
Configuring the SSL Preprocessor
License:
Protection
By default, the system attempts to inspect encrypted traffic. When you enable the SSL preprocessor, it
detects when a session becomes encrypted. After the SSL preprocessor is enabled, the rules engine can
invoke the preprocessor to obtain SSL state and version information. If you enable rules using the
detects when a session becomes encrypted. After the SSL preprocessor is enabled, the rules engine can
invoke the preprocessor to obtain SSL state and version information. If you enable rules using the
ssl_state
and
ssl_version
keywords in an intrusion policy, you should also enable the SSL
preprocessor in that policy.
In addition, you can enable the
Stop inspecting encrypted traffic
option to disable inspection and reassembly
for encrypted sessions. The SSL preprocessor maintains state for the session so it can disable inspection
of all traffic in the session. The system only stops inspecting traffic in encrypted sessions if SSL
preprocessing is enabled and the
of all traffic in the session. The system only stops inspecting traffic in encrypted sessions if SSL
preprocessing is enabled and the
Stop inspecting encrypted traffic
option is selected.
Table 25-12
SSL Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
137:1
Detects a client hello after a server hello, which is invalid and considered to be
anomalous behavior.
anomalous behavior.
137:2
Detects a server hello without a client hello when
Server side data is trusted
is
disabled, which is invalid and considered to be anomalous behavior. See
for more information.