topic Re: Blocking hash on cisco FMC in Network Security

Blocking hash on cisco FMC

Muhammad Amin Zia — Fri, 21 Feb 2020 16:13:48 GMT

Hello Experts -

I need to know that we are using cisco ASA 5512 with firepower defense center. We have URL and malware license. I want to block the hashes like given below. Can anyone of you help me out in configuring this. looking forward for your positive response in this regards.

c48f5f5bghd34939c9e6cc1eff86db882f3e57d8e

Re: Blocking hash on cisco FMC

Marvin Rhoads — Wed, 12 Sep 2018 06:36:54 GMT

You can do this by using a file list.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/reusable_objects.html#ID-2243-00000833

The hash you provided though is only 43 characters. We need to provide a 64 character SHA-256 hash.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Wed, 12 Sep 2018 07:46:03 GMT

Thank you that's exactly what I am looking for. Can you please tell me that I have three types of hashes i.e. MD5, SHA1, and SHA256, Can I add all of them and I cannot copy paste any SHA one by one I have a huge list of hashes can I add them as a text file (.txt) like we do in security intelligence.

Re: Blocking hash on cisco FMC

Marvin Rhoads — Wed, 12 Sep 2018 08:04:19 GMT

Firepower Management Center (and AMP console for that matter) only supports SHA-256 hashes. There's no way to import MD5 and SHA-1 hashes.

You can import a SHA-256 hash list in bulk. Please refer to the link I posted earlier - that page has detailed instructions on doing so by importing a csv file with up to 10,000 entries.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Wed, 12 Sep 2018 09:14:27 GMT

Thank you so much. I appreciate your help.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Wed, 12 Sep 2018 09:44:28 GMT

Dear Rhoads -

Please also let me know that I have added the File list as per you guided. My question is do I need to do something else to start monitoring the hash like need to apply this created file list in some access policy or somewhere or is it enough just to create File List? If I need to do something else. Please let me know that steps/configuration. Waiting for your answer.

Re: Blocking hash on cisco FMC

Marvin Rhoads — Wed, 12 Sep 2018 10:08:30 GMT

Please read the note that is in the screenshot I provided earlier. It tells you what is required for the list to take effect.

Monitoring is via the widgets in the Files dashboard or also under Analysis > Files > Malware events (for detailed monitoring and analysis).

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Wed, 12 Sep 2018 10:40:10 GMT

I did with malware cloud lookup but at right top I am getting this note "no access control policies use this file policy". when I click on it, it shows the attached note and redirected me to access policy control page but I am confuse how to add it on access control policy. Please have a look of two attachments.

Re: Blocking hash on cisco FMC

Marvin Rhoads — Wed, 12 Sep 2018 12:50:16 GMT

Most policies are "underneath" your top level access control policy (ACP). You create an ACP and in it specify the Intrusion, File & Malware, DNS, Identity, SSL and Prefilter policies.

Each rule in your ACP has the option, under the Inspection tab, to specify a File Policy. As you can see in my screenshot below we call out the File policy created earlier and associate it with the rule. File inspection is computationally "expensive" so we don't always turn it on for every single rule.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Thu, 13 Sep 2018 09:11:51 GMT

Thank you for your quick help. I really appreciate it.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Wed, 26 Sep 2018 03:55:53 GMT

Hello Marvin -

Just one more thing that how many entries can we add in security intelligence on list to block ip's and URL's.

Re: Blocking hash on cisco FMC

Marvin Rhoads — Wed, 26 Sep 2018 06:55:48 GMT

You're welcome.

~~I believe the limit is currently 10,000 each.~~

EDIT - see my later reply.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Wed, 26 Sep 2018 04:02:37 GMT

Thank you, I am adding IP's and URL in one list and this list has limit of 10,000 entries. Can you confirm this?

Re: Blocking hash on cisco FMC

Marvin Rhoads — Wed, 26 Sep 2018 06:55:08 GMT

Sorry - the 10,000 number is the limit for a file list.

URL and IP lists are limited to 500 MB per list. You can add them as separate lists.

The number of entries you can include is limited by the maximum size of the file. For example, a URL list with no comments and an average URL length of 100 characters (including Punycode or percent Unicode representations and newlines) can contain more than 5.24 million entries.

This is all spelled out in the Configuration Guide. The above paragraph is a direct quote.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Wed, 26 Sep 2018 09:43:43 GMT

Marvin this is very kind of you for being so helpful. If I add total of both URL and IP's 40,000 entries in single txt. file and if txt. file size does not reach to 500 MB then I am allowed to add more in the same list. Please correct me if I am wrong.

Re: Blocking hash on cisco FMC

Marvin Rhoads — Wed, 26 Sep 2018 09:47:53 GMT

You're welcome.

That's correct.

Re: Blocking hash on cisco FMC

Muhammad Amin Zia — Thu, 27 Sep 2018 05:09:03 GMT

Marvin I am facing a problem in FMC security intelligence that when I add list in txt. format which has URL in it. list got uploaded and after that when I download the list from SI to check, The URL will not appear in that list which was added earlier also it is not blocking when I add that list in blacklist mode. I am Using FMC software version: 5.4.1.6. Kindly suggest.

Re: Blocking hash on cisco FMC

Marvin Rhoads — Thu, 27 Sep 2018 07:46:47 GMT

I'm not sure what might be wrong with your file. I've tested blacklist based on uploading a text file and it worked fine for me.

I am using the most recent Firepower versions but did this test as far back as 6.1. Is there a reason why you are running a VERY old version of Firepower? If you contact TAC they will almost undoubtedly ask that you upgrade to a current release and try it again.

Re: Blocking hash on cisco FMC

PatrickNicholls4606 — Mon, 23 Sep 2019 14:43:31 GMT

What does one do if the opposite needs to happen ? What if FirePower with AMP for files is blocking a file it shouldn't be ? We have the SHA256 hash that being blocked, its not malware, we know what the file is and what its behavior is. What needs to be done to, lay person's terms, " if Firepower detects a specific SHA256 file on the network, do nothing."

Re: Blocking hash on cisco FMC

Marvin Rhoads — Tue, 24 Sep 2019 04:07:30 GMT

AMP for Networks (i.e. on FMC or Firepower device) does not allow you to create policies based on a specific file's SHA-256. That requires AMP for endpoints where it is done on the AMP console.

The best you can do is open a ticket with TAC (or Talos - I find TAC more interactive and responsive) and request the incorrect SHA-256 be remedied in AMP cloud.