Cisco Cisco Firepower Management Center 2000

To specify that the connection tracker track connections for a specific IP address or block of IP 
addresses, click 

 to manually specify the IP. Click 

 to go back to 

using the IP address in the event.

Any

The following table describes how to how to build a connection tracker condition that specifies when 
you want to generate a correlation event based on the connections you are tracking. 

Consider a scenario where you archive sensitive files on network 10.1.0.0/16, and where hosts outside 
this network typically do not initiate connections to hosts inside the network. An occasional connection 
initiated from outside the network might occur, but you have determined that when four or more 
connections are initiated within two minutes, there is cause for concern.

The rule shown in the following graphic specifies that when a connection occurs from outside the 
10.1.0.0/16 network to inside the network, the system begins tracking connections that meet that 
criterion. The Defense Center then generates a correlation event if the system detects four connections 
(including the original connection) within two minutes that match that signature.

Number of Connections

Type the total number of connections detected.

Total Bytes,

 

Initiator Bytes, or

 

Responder Bytes

Type one of:

the total bytes transmitted (

)

the number of bytes transmitted (

)

the number of bytes received (

)

Total Packets,

 

Initiator Packets, or

 

Responder Packets

Type one of:

the total packets transmitted (

)

the number of packets transmitted (

)

the number of packets received (

)

Unique Initiators or 

 

Unique Responders

Type one of:

the number of unique hosts that initiated sessions that were detected 
(

)

the number of unique hosts that responded to connections that were 
detected (

)