Cisco Cisco FirePOWER Appliance 8360
25-75
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Working with SCADA Preprocessors
•
If your network does not contain any Modbus-enabled devices, you should not enable this
preprocessor in an intrusion policy that you apply to traffic.
preprocessor in an intrusion policy that you apply to traffic.
•
The Modbus preprocessor requires TCP stream configuration. When you enable the Modbus
preprocessor and TCP stream configuration is disabled, you are prompted whether to enable the
advanced setting when you save the policy.
preprocessor and TCP stream configuration is disabled, you are prompted whether to enable the
advanced setting when you save the policy.
See
and
for more information.
•
Both TCP stream configuration and the Modbus preprocessor must be enabled to allow processing
of rules using Modbus keywords. When either is disabled and you enable rules that use Modbus
keywords, you are prompted whether to enable the disabled advanced setting when you save the
policy. See
of rules using Modbus keywords. When either is disabled and you enable rules that use Modbus
keywords, you are prompted whether to enable the disabled advanced setting when you save the
policy. See
.
You can use the following procedure to modify the ports the Modbus preprocessor monitors.
To configure the Modbus preprocessor:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Modbus Configuration
under SCADA Preprocessors is
enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Modbus Configuration page appears.
Step 5
Optionally, modify the
Ports
that the preprocessor inspects for Modbus traffic. You can specify an integer
from 0 to 65535. Use commas to separate multiple ports.
Step 6
Optionally, click
Configure Rules for Modbus Configuration
at the top of the page to display rules associated
with individual options.
Click
Back
to return to the Modbus Configuration page.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Configuring the DNP3 Preprocessor
License:
Protection