Cisco Cisco Firepower Management Center 4000
17-5
FireSIGHT System User Guide
Chapter 17 Introduction to Intrusion Prevention
Understanding How Traffic Is Analyzed
After the packets are decoded through the first three TCP/IP layers, they are sent to preprocessors, which
normalize traffic at the application layer and detect protocol anomalies. After the packets have passed
through the preprocessors, they are sent to the rules engine. The rules engine inspects the packet headers
and payloads to determine whether they trigger any shared object rules or standard text rules.
normalize traffic at the application layer and detect protocol anomalies. After the packets have passed
through the preprocessors, they are sent to the rules engine. The rules engine inspects the packet headers
and payloads to determine whether they trigger any shared object rules or standard text rules.
You can enable and disable preprocessors and preprocessor options to suit your environment. For
example, one of the preprocessors normalizes HTTP traffic. If you are confident that your network does
not include any web servers using Microsoft Internet Information Services (IIS), you can disable the
preprocessor option that looks for IIS-specific traffic and thereby reduce system processing overhead.
example, one of the preprocessors normalizes HTTP traffic. If you are confident that your network does
not include any web servers using Microsoft Internet Information Services (IIS), you can disable the
preprocessor option that looks for IIS-specific traffic and thereby reduce system processing overhead.
The rules engine takes three tracks as it inspects packets from the preprocessors:
•
the rule optimizer
•
the multi-rule search engine
•
the event selector
For more information on preprocessors, see
.
The rule optimizer classifies all activated rules in subsets based on criteria such as transport layer,
application protocol, direction to or from the protected network, and so on. As packets arrive at the rules
engine, it selects the appropriate rule subsets to apply to each packet.
application protocol, direction to or from the protected network, and so on. As packets arrive at the rules
engine, it selects the appropriate rule subsets to apply to each packet.
After the rule subsets are selected, the multi-rule search engine performs three different types of
searches:
searches:
•
The protocol field search looks for matches in particular fields in an application protocol.
•
The generic content search looks for ASCII or binary byte matches in the packet payload.
•
The packet anomaly search looks for packet headers and payloads that, rather than containing
specific content, violate well-established protocols.
specific content, violate well-established protocols.
After the multi-rule search engine examines the packets, it generates an event for every rule triggered
and adds it to an event queue. The event selector prioritizes the events in the queue and logs an event to
the event database. These are the intrusion events that appear in the intrusion event statistics and
intrusion event reports.
and adds it to an event queue. The event selector prioritizes the events in the queue and logs an event to
the event database. These are the intrusion events that appear in the intrusion event statistics and
intrusion event reports.
Generating Events
License:
Protection
Packets are evaluated by the packet decoder, the preprocessors, and the rules engine. At each step of the
process, a packet could cause the system to generate an event, which is an indication that the packet or
its contents may be a risk to the security of your network, or, in the case of an attack that originates from
within your network, to the security of either your network or an external network.
process, a packet could cause the system to generate an event, which is an indication that the packet or
its contents may be a risk to the security of your network, or, in the case of an attack that originates from
within your network, to the security of either your network or an external network.