cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9551
Views
18
Helpful
5
Replies

AMP for Network best practices

mnabeel@ciso.com
Cisco Employee
Cisco Employee

Looking for AMP for Network best practices notes:

     best practice for Tuning File and Malware Inspection Performance and Storage

     best practice for file type inspection for malware check such as portable file, docx etc.

1 Accepted Solution

Accepted Solutions

Dennis Perto
Level 5
Level 5

I don't think that we have a "best practise" for this.

I usually make a rule which action is to "Detect files" and choose all file types possible. Then I make a "Block Malware" rule, with all the bells and whistles, to store malware files, and choose:

Office Documents

Archive

Executables

PDF files

System files

Local Malware Analysis Capable

Dynamic Analysis Capable

On a sidenote Cisco states this in the manual about file inspection:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper…

File Policy Notes and Limitations

File Rule Configuration Notes and Limitations

  • A rule configured to block files in a passive deployment does not block matching files. Because the connection continues to transmit the file, if you configure the rule to log the beginning of the connection, you may see multiple events logged for this connection.

  • If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the Firepower Management Center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored.

  • Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.

  • If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured files for dynamic analysis. Doing so can negatively impact system performance.

  • You cannot perform malware analysis on all file types detected by the system. After you select values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the system constrains the list of file types.


File Detection Notes and Limitations

  • If a file matches a rule with an application protocol condition, file event generation occurs after the system successfully identifies a files application protocol. Unidentified files do not generate file events.

  • FTP transfers commands and data over different channels. In a passive or inline tap mode deployment, the traffic from an FTP data session and its control session may not be load-balanced to the same Snort.

  • If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session exceeds 1024, file events from the session may not reflect the correct file names for files that were detected after the file name buffer filled.

  • When transmitting text-based files over SMTP, some mail clients convert newlines to the CRLF newline character standard. Since Mac-based hosts use the carriage return (CR) character and Unix/Linux-based hosts use the line feed (LF) character, newline conversion by the mail client can modify the size of the file. Note that some mail clients default to newline conversion when processing an unrecognizable file type.


  • If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be blocked by a Block Malware rule or the custom detection list. The system waits to block the file until the entire file has been received, as indicated by the end-of-file marker, and blocks the file after the marker is detected.

 

File Blocking Notes and Limitations

  • If the end-of-file marker for an FTP file transfer is transmitted separately from the final data segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but the file will actually completely transfer to disk.

  • File rules with Block Files and Block Malware actions block automatic resumption of file download via HTTP by blocking new sessions with the same file, URL, server, and client application detected for 24 hours after the initial file transfer attempt occurs.

  • In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble the traffic correctly and therefore will not block it or generate a file event.

  • If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with a Block Files rule, you may see a file on the destination host. However, the file is unusable because it is blocked after the download starts, resulting in an incomplete file transfer.

  • If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file transfer), the system does not inspect files transferred in an established TCP or SMB session started before you deploy an access control policy invoking the file policy so those files will not be detected or blocked.

View solution in original post

5 Replies 5

Dennis Perto
Level 5
Level 5

I don't think that we have a "best practise" for this.

I usually make a rule which action is to "Detect files" and choose all file types possible. Then I make a "Block Malware" rule, with all the bells and whistles, to store malware files, and choose:

Office Documents

Archive

Executables

PDF files

System files

Local Malware Analysis Capable

Dynamic Analysis Capable

On a sidenote Cisco states this in the manual about file inspection:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper…

File Policy Notes and Limitations

File Rule Configuration Notes and Limitations

  • A rule configured to block files in a passive deployment does not block matching files. Because the connection continues to transmit the file, if you configure the rule to log the beginning of the connection, you may see multiple events logged for this connection.

  • If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the Firepower Management Center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored.

  • Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.

  • If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured files for dynamic analysis. Doing so can negatively impact system performance.

  • You cannot perform malware analysis on all file types detected by the system. After you select values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the system constrains the list of file types.


File Detection Notes and Limitations

  • If a file matches a rule with an application protocol condition, file event generation occurs after the system successfully identifies a files application protocol. Unidentified files do not generate file events.

  • FTP transfers commands and data over different channels. In a passive or inline tap mode deployment, the traffic from an FTP data session and its control session may not be load-balanced to the same Snort.

  • If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session exceeds 1024, file events from the session may not reflect the correct file names for files that were detected after the file name buffer filled.

  • When transmitting text-based files over SMTP, some mail clients convert newlines to the CRLF newline character standard. Since Mac-based hosts use the carriage return (CR) character and Unix/Linux-based hosts use the line feed (LF) character, newline conversion by the mail client can modify the size of the file. Note that some mail clients default to newline conversion when processing an unrecognizable file type.


  • If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be blocked by a Block Malware rule or the custom detection list. The system waits to block the file until the entire file has been received, as indicated by the end-of-file marker, and blocks the file after the marker is detected.

 

File Blocking Notes and Limitations

  • If the end-of-file marker for an FTP file transfer is transmitted separately from the final data segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but the file will actually completely transfer to disk.

  • File rules with Block Files and Block Malware actions block automatic resumption of file download via HTTP by blocking new sessions with the same file, URL, server, and client application detected for 24 hours after the initial file transfer attempt occurs.

  • In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble the traffic correctly and therefore will not block it or generate a file event.

  • If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with a Block Files rule, you may see a file on the destination host. However, the file is unusable because it is blocked after the download starts, resulting in an incomplete file transfer.

  • If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file transfer), the system does not inspect files transferred in an established TCP or SMB session started before you deploy an access control policy invoking the file policy so those files will not be detected or blocked.

Thanks for your prompt response, how about the Tuning File and Malware Inspection Performance and Storage as mentioned on below link. Any customized settings that we have experienced for any customer. Or shall we go with the default settings, An example, lets say if we increase the file size settings that can be stored into storage and further submit for dynamic analysis. I am suspecting if we change such settings will result decrease in performance.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AC-Intrusion-Malware-Detection.html#78959

I have not had the need to tune those settings. You should tune them if you do not use a default 1500 MTU size.

atanawade
Level 1
Level 1

I noticed that if i downloads excel file from internet ,i can see the connection build up and rules are configured for to Detect the file.

 

But when i try to check analyses>file>file event

i could see anything after editing search with my IP address, Why is that ?

@atanawade how are you downloading? If it's within an https or other encrypted session AMP for Networks won't generally see the file transfer (unless there's also an SSL decryption policy in effect that applies to that connection).