Cisco Cisco Firepower Management Center 4000
33-12
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding and Creating File Policies
File Rules
You populate a file policy with file rules. The following table describes the components of a file rule.
Table 33-4
File Rule Components
File Rule Component
Description
application protocol
The system can detect and inspect files transmitted via FTP, HTTP,
SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). To improve
performance, you can restrict file detection to only one of those
application protocols on a per-file rule basis.
SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). To improve
performance, you can restrict file detection to only one of those
application protocols on a per-file rule basis.
direction of transfer
You can inspect incoming FTP, HTTP, IMAP, POP3, and NetBIOS-ssn
(SMB) traffic for downloaded files; you can inspect outgoing FTP,
HTTP, SMTP, and NetBIOS-ssn (SMB) traffic for uploaded files.
(SMB) traffic for downloaded files; you can inspect outgoing FTP,
HTTP, SMTP, and NetBIOS-ssn (SMB) traffic for uploaded files.
file categories and types
The system can detect various types of files. These file types are
grouped into basic categories, including multimedia (swf, mp3),
executables (exe, torrent), and PDFs. You can configure file rules that
detect individual file types, or on entire categories of file types.
grouped into basic categories, including multimedia (swf, mp3),
executables (exe, torrent), and PDFs. You can configure file rules that
detect individual file types, or on entire categories of file types.
For example, you could block all multimedia files, or just ShockWave
Flash (swf) files. Or, you could configure the system to alert you when
a user downloads a BitTorrent (torrent) file.
Flash (swf) files. Or, you could configure the system to alert you when
a user downloads a BitTorrent (torrent) file.
Caution
Frequently triggered file rules can affect system
performance. For example, detecting multimedia files in
HTTP traffic (YouTube, for example, transmits significant
Flash content) could generate an overwhelming number of
events.
performance. For example, detecting multimedia files in
HTTP traffic (YouTube, for example, transmits significant
Flash content) could generate an overwhelming number of
events.
file rule action
A file rule’s action determines how the system handles traffic that
matches the conditions of the rule.
matches the conditions of the rule.
Note
File rules are evaluated in rule-action, not numerical, order. For
more information, see the next section,
more information, see the next section,
.