Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSA DAC Rule, Untrusted Hosts, and Global Correlation

I was trying to get tricky and force my Data Access Control rules to show me what the source IP was.

In my DAC rule, instead of setting the action to Monitor, I have it set to Add Process to Application Class, using dynamic application class <*Processes Communicating with Untrusted Hosts>. Then for Global Event Correlation, I have "Correlate Communications with untrusted hosts and add peer addresses to list of dynamically quarantined IP addresses" enabled with Log a message if 1 systems report this event within 60 minutes.

Well, it works. Sort of. The first time one of my DAC rules triggers, I get the event for the DAC rule, then another event when Global Event Correlation logs the IP address. But this comes with a nasty side effect. Right after, any IP address that communicates with the IIS process also gets added to the Global Quarantine IP addresses list and those events are logged, but not with any other DAC rule event. It looks as if the IIS process is being quarantined as well, even though I can't see that tracked anywhere. The details of the Global event don't give any reference information at all.

So what is going on? Is this how its supposed to work? Or did i find a bug?

2 REPLIES
Silver

Re: CSA DAC Rule, Untrusted Hosts, and Global Correlation

what is the version of CSA you are using?

New Member

Re: CSA DAC Rule, Untrusted Hosts, and Global Correlation

4.5.1. At the time of my post it was release 654, but now I'm up to 657.

123
Views
0
Helpful
2
Replies
CreatePlease to create content