The AIC HTTP/FTP analize more specific details related whith the services that de Service FTP, Service HTTP, (and much more than atomic signature) like what kind of objects can you download or not from a web server (image, video, audio, etc) or what kind of commands are performed in a FTP connection (you can analize much more details in HTTP connection, but in FTP connection only commands analisys are allowed)
You can use AIC to analize specific things after the session was established and want to control what the user do with your web server.
Use the HTTP service to find kinds of attacks like buffer overflows, or specifics attacks in the URL request like directory traversal.
One of the distinct differences is that the AIC engines have a few signatures that can not be created in any other engines. These include:
12674 Alarm on non-http traffic
12676 Request Method Not Recognized
12686 Recognized Transfer Encoding
12673 Recognized Content Type
12900 Unrecognized FTP Command
Standard signatures will look for a string and will fire the alert when the string IS seen in the connection.
BUT the above signatures work differently. Instead of firing an alert when the string is seen, these signatures instead fire alert when NONE of the strings in the signature are seen in the connection.
In the case of 12674 the sensor will fire on web port connections that do NOT look like normal web connections (does not have a URL request). Some other protocol may being run on the standard web port. The sensor will alert on this non-web traffic on a web port and deny the connection.
Under normal signatrue writing we would have to write a signature to match every other protocol and see if it is running on a web port. That would be pretty much impossible given the number of protocols. So instead we can use this one sig and fire on everything that is NOT web traffic on a web port.
The other 4 signatures are very similar.
For example with 12676 it has a list of allowed web request methods (GET, HEAD, POST, etc...) If the sensor sees a request method that is NOT in this list, then it fires the alert (and denies the connection).
This prevents unknown web request methods from entering your network.
The other signatures listed above are similar constructed for the type of data they are built to look for.
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...