topic Re: Can I inspect the same traffic for BOTH intrusion and malware? in Network Security

Can I inspect the same traffic for BOTH intrusion and malware?

Pat Fahey — Fri, 21 Feb 2020 15:34:50 GMT

I am running an ASA5506 with Firepower and FMC 6.2.2.2, and have a question about how rules interact. Please pardon me if this has been asked and answered. I searched through the posts but did not see an answer.

My question is about inspecting the same traffic for both Intrusion AND File/Malware. If I create two rules (in one access control policy), one a file rule allowing all traffic for file inspection, and a second rule that allows all traffic for Intrusion inspection, it appears that only one is examining traffic.

If I put the intrusion rule above the file rule in the access control policy, all of the blocks shown in the Connection Events page are "Intrusion Blocks". If I put the file rule above the intrusion rule, all of the blocks are "File Blocks".

And if I put both the intrusion and file policies into one rule, I only ever see "Intrusion Blocks". My concern is that traffic is either being inspected for file/malware OR intrusion, but not both.

Is my concern unfounded, and if so, why do I not see a mix of block types?

Thanks, in advance for your help.

Re: Can I inspect the same traffic for BOTH intrusion and malware?

yogdhanu — Fri, 30 Mar 2018 08:24:46 GMT

Hi Pat,

It would really depend on the content of the packet. If the intrusion and file policy is in same access rule, file policy would be applied only after firepower inspects some portion of stream and calculates the SHA value of the file. If during that time, intrusion rule is able to determine something based on either header info or packet data info, it would be triggered before file policy calculates the SHA and validates if its malicious or not.

I would suggest to place the intrusion policy in IDS mode (disable drop when inline) for testing and use it in along with file policy rule.

Hope that helps,

Yogesh

Re: Can I inspect the same traffic for BOTH intrusion and malware?

Pat Fahey — Fri, 30 Mar 2018 15:40:07 GMT

Hi Yogesh.

So if I am understanding you correctly, BOTH Intrusion inspection AND Malware inspection will be performed on traffic with no Malware or Intrusion matches.

On the other hand, if traffic contains BOTH Malware AND an Intrusion signature, it may be dropped for one reason or the other, depending on which abnormality (Malware or Intrusion) is identified first.

My objective is to inspect all traffic for both Malware and Intrusion, and it sounds like that is indeed happening. Please correct me if I am wrong.

Thanks for your reply. -Pat

Re: Can I inspect the same traffic for BOTH intrusion and malware?

pazzi — Fri, 30 Mar 2018 15:47:07 GMT

Let me chime in, IPS policy is evaluated prior to the Malware policy.

So order of drops is packet first, file second.

HTH

Paul

Re: Can I inspect the same traffic for BOTH intrusion and malware?

Pat Fahey — Fri, 30 Mar 2018 18:18:07 GMT

Thanks, Paul.

So if the IPS policy does NOT drop it, Malware WILL inspect it?

Of course if IPS drops it Malware will not inspect it.

My concern was that if the IPS policy allows it to pass, the Malware would never inspect it at all.

-Pat