Cisco Cisco Firepower Management Center 4000
39-27
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
In this example, the system detected a connection that met the basic conditions of the correlation rule,
that is, the system detected a connection from a host outside the 10.1.0.0/16 network to a host inside the
network. This created a connection tracker.
that is, the system detected a connection from a host outside the 10.1.0.0/16 network to a host inside the
network. This created a connection tracker.
The connection tracker is processed in the following stages:
Step 1
The system starts tracking connections when it detects a connection from Host A outside the network to
Host 1 inside the network.
Host 1 inside the network.
Step 2
The system detects two more connections that match the connection tracker signature: Host B to Host 2
and Host C to Host 1.
and Host C to Host 1.
Step 3
The system detects a fourth qualifying connection when Host A connects to Host 3 within the
two-minute time limit. The rule conditions are met.
two-minute time limit. The rule conditions are met.
Step 4
The Defense Center generates a correlation event and the system stops tracking connections.
Example: Excessive BitTorrent Data Transfers
Consider a scenario where you want to generate a correlation event if the system detects excessive
BitTorrent data transfers after an initial connection to any host on your monitored network.
BitTorrent data transfers after an initial connection to any host on your monitored network.
The following graphic shows a correlation rule that triggers when the system detects the BitTorrent
application protocol on your monitored network. The rule has a connection tracker that constrains the
rule so that the rule triggers only if hosts on your monitored network (in this example, 10.1.0.0/16)
collectively transfer more than 7MB of data (7340032 bytes) via BitTorrent in the five minutes following
the initial policy violation.
application protocol on your monitored network. The rule has a connection tracker that constrains the
rule so that the rule triggers only if hosts on your monitored network (in this example, 10.1.0.0/16)
collectively transfer more than 7MB of data (7340032 bytes) via BitTorrent in the five minutes following
the initial policy violation.