для Cisco Cisco Firepower Management Center 2000
39-25
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Tip
To specify that the connection tracker track connections for a specific IP address or block of IP
addresses, click
addresses, click
switch to manual entry
to manually specify the IP. Click
switch to event fields
to go back to
using the IP address in the event.
Syntax for Connection Tracker Events
License:
Any
The following table describes how to how to build a connection tracker condition that specifies when
you want to generate a correlation event based on the connections you are tracking.
you want to generate a correlation event based on the connections you are tracking.
Example: Excessive Connections From External Hosts
Consider a scenario where you archive sensitive files on network 10.1.0.0/16, and where hosts outside
this network typically do not initiate connections to hosts inside the network. An occasional connection
initiated from outside the network might occur, but you have determined that when four or more
connections are initiated within two minutes, there is cause for concern.
this network typically do not initiate connections to hosts inside the network. An occasional connection
initiated from outside the network might occur, but you have determined that when four or more
connections are initiated within two minutes, there is cause for concern.
The rule shown in the following graphic specifies that when a connection occurs from outside the
10.1.0.0/16 network to inside the network, the system begins tracking connections that meet that
criterion. The Defense Center then generates a correlation event if the system detects four connections
(including the original connection) within two minutes that match that signature.
10.1.0.0/16 network to inside the network, the system begins tracking connections that meet that
criterion. The Defense Center then generates a correlation event if the system detects four connections
(including the original connection) within two minutes that match that signature.
Table 39-13
Syntax for Connection Tracker Events
If you specify...
Select an operator, then...
Number of Connections
Type the total number of connections detected.
Total Bytes,
Initiator Bytes, or
Responder Bytes
Type one of:
•
the total bytes transmitted (
Total Bytes
)
•
the number of bytes transmitted (
Initiator Bytes
)
•
the number of bytes received (
Responder Bytes
)
Total Packets,
Initiator Packets, or
Responder Packets
Type one of:
•
the total packets transmitted (
Total Packets
)
•
the number of packets transmitted (
Initiator Packets
)
•
the number of packets received (
Responder Packets
)
Unique Initiators or
Unique Responders
Type one of:
•
the number of unique hosts that initiated sessions that were detected
(
(
Unique Initiators
)
•
the number of unique hosts that responded to connections that were
detected (
detected (
Unique Responders
)