Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
0
Helpful
4
Replies

Can I inspect the same traffic for BOTH intrusion and malware?

Pat Fahey
Level 1
Level 1

‎03-29-2018 05:39 PM - edited ‎02-21-2020 07:34 AM

I am running an ASA5506 with Firepower and FMC 6.2.2.2, and have a question about how rules interact.  Please pardon me if this has been asked and answered.  I searched through the posts but did not see an answer.

My question is about inspecting the same traffic for both Intrusion AND File/Malware.  If I create two rules (in one access control policy), one a file rule allowing all traffic for file inspection, and a second rule that allows all traffic for Intrusion inspection, it appears that only one is examining traffic.  

If I put the intrusion rule above the file rule in the access control policy, all of the blocks shown in the Connection Events page are "Intrusion Blocks". If I put the file rule above the intrusion rule, all of the blocks are "File Blocks".

And if I put both the intrusion and file policies into one rule, I only ever see "Intrusion Blocks".  My concern is that traffic is either being inspected for file/malware OR intrusion, but not both.

Is my concern unfounded, and if so, why do I not see a mix of block types?

Thanks, in advance for your help.

Labels:
0 Helpful
4 Replies 4

yogdhanu
Cisco Employee
Cisco Employee

‎03-30-2018 01:24 AM

Hi Pat,

 

It would really depend on the content of the packet. If the intrusion and file policy is in same access rule, file policy would be applied only after firepower inspects some portion of stream and calculates the SHA value of the file. If during that time, intrusion rule is able to determine something based on either header info or packet data info, it would be triggered before file policy calculates the SHA and validates if its malicious or not.

I would suggest to place the intrusion policy in IDS mode (disable drop when inline) for testing and use it in along with file policy rule.

 

Hope that helps,

Yogesh

0 Helpful

Pat Fahey
Level 1
Level 1
In response to yogdhanu

‎03-30-2018 08:40 AM

Hi Yogesh.

So if I am understanding you correctly, BOTH Intrusion inspection AND Malware inspection will be performed on traffic with no Malware or Intrusion matches.

On the other hand, if traffic contains BOTH Malware AND an Intrusion signature, it may be dropped for one reason or the other, depending on which abnormality (Malware or Intrusion) is identified first.

My objective is to inspect all traffic for both Malware and Intrusion, and it sounds like that is indeed happening. Please correct me if I am wrong.

Thanks for your reply. -Pat
0 Helpful

pazzi
Cisco Employee
Cisco Employee
In response to Pat Fahey

‎03-30-2018 08:47 AM

Let me chime in, IPS policy is evaluated prior to the Malware policy.

So order of drops is packet first, file second.



HTH

Paul


0 Helpful

Pat Fahey
Level 1
Level 1
In response to pazzi

‎03-30-2018 11:18 AM

Thanks, Paul.

So if the IPS policy does NOT drop it, Malware WILL inspect it?

Of course if IPS drops it Malware will not inspect it.

My concern was that if the IPS policy allows it to pass, the Malware would never inspect it at all.

-Pat

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card