0% found this document useful (0 votes)

375 views219 pages

Advanced Firepower IPS Deployment

BRKSEC-3300

Uploaded by

pikamau

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

375 views219 pages

Advanced Firepower IPS Deployment

BRKSEC-3300

Uploaded by

pikamau

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 219

BRKSEC-3300

Advanced Firepower IPS

Deployment

Gary Halleen, Technical Solutions Architect

Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKSEC-3300

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

Gary Halleen
Email: [email protected]
Security Architect
Global Security Architect Team
19 years at Cisco
Amateur Radio: K7TRO
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Your Speaker

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Oregon – Pacific Wonderland

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Some of My Hobbies

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Some of My Hobbies

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Firepower Sessions: Building Blocks
Tuesday Wednesday Thursday Friday

11:00 08:30
11:00 08:30

11:30 09:00
BRKSEC-3035 BRKSEC-2064 BRKSEC-3455
Firepower Platform Dissecting
NGFWv and ASAv
Deep Dive Firepower FTD &
in Public Cloud
Firepower Services
14:30 11:00

BRKSEC-3328 BRKSEC-3300 BRKSEC-3032 BRKSEC-2020

FMC Internals: Firepower NGFW in
Advanced IPS NGFW Clustering
Making FMC Do the DC and
Deployment Deep Dive
More Enterprise

BRKSEC-2112
Firepower Internet
Edge Best Practices
We Are Here!
16:30

BRKSEC-3352
Advanced Snort
Rule Writing for
Firepower
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
For Your
Reference
Introduction
For the purposes of this session, these terms are treated the same.

• Firepower
• Firepower Threat Defense
• ASA with Firepower Services

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Introduction
Centralized On-box Cloud-based Upcoming

Firepower Management Firepower Device Cisco Defense

Center (FMC) Manager (FDM) Orchestrator (CDO)

Enables comprehensive Enables easy on- Enables cloud-based

security administration and box management of policy management of
automation of multiple common security multiple deployments
appliances and policy tasks

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower Management Center (FMC)
This session covers Firepower 6.2.x and later, managed with FMC.
We will NOT cover the older Cisco IPS 7.0.

Centralized Management Firepower Management Center

Multi-domain management Firewall & AVC

Role-based access control NGIPS

High availability AMP

APIs and pxGrid integration Security Intelligence

Manage across many sites Control access and set policies Investigate incidents Prioritize response

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
For Your

Firepower 6.3
Reference

Platform Capabilities Operations Visibility & Security

Multi-Instance for 4100/9300 Airgap/Export Licensing Events direct-from-device

• Flexible approach for up to 14 • Controlled subscription licensing for • Integrate better with other Cisco
instances closed networks and 3rd party SIEMs
• Supports HA • Export licensing for government and • Connection and IPS
military customers outside the
TLS HW Accelerated Decryption United States FQDN based access control
• Higher TLS inspection throughput • Enables control for dynamic cloud
• Supported on all Firepower Local Management for FTD based apps
platforms • Onbox manager for many
commercial use-cases 2FA & RADIUS CoA for RA VPN in
Fail-to-Wire Netmods for FP2100 • Supports HA, Passive Auth with FMC
• Transition NGIPS to Firepower Audit Logging and Connection and • RA VPN Migration
2100s IPS syslogs from the device

Improved Migrations Direct-to-Device APIs (2100 and

• New migration tools below)
• Automation and Orchestration for
MSPs
• Enable Integrations

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
6.3
Multi-Instance for Firepower 4100/9300
• Allows organizations to deploy independent
tenants for multiple departments or
customers
FTD FTD FTD FTD
1 2 3 4 • Resource and Management Separation
• Instances are fully independent and fault
tolerant
• Smooth workflow enabling faster
provisioning
• 3-14 instances (FP9300 and FP4100s only)
• Multi-Instance is free – no SKU

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Pick from many deployment modes

Inline or Passive Fail-to-wire NetMods Additional options

Inline Routed

NetMod
101110

Inline Tap Transparent

101110

Passive Virtual or Physical

Available on 2100, 4100 and 9300

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Firepower Policies

How often are Policies Modified?

Frequently Little Rarely

Access Control Policy Malware and File Policy Network Discovery Policy

Intrusion Policy DNS Policy Network Analysis Policy

SSL Policy Correlation Policy

Identity Policy Health Policy

Prefilter Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Policy Order of Operation

Access
Prefilter Intrusion
Control Policy
(FTD only) (for AppID)

Optional

SSL Identity SI / DNS

Access Intrusion File /

Control Rules
Malware

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Intrusion Policy
The Intrusion Policy defines which Snort rules are used in packet inspection.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Intrusion Base Policy

Policy CVSS Score Vulnerability Age

Connectivity over Security 10 Current year, plus 2 prior

(2019, 2018, and 2017)
Balanced Security and 9+ Current year, plus 2 prior
Connectivity Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit
Security over Connectivity 8+ Current year, plus 3 prior
(2019, 2018, 2017, and 2016)
Rule Categories: Malware-CNC, Blacklist, SQL
Injection, Exploit Kit, App-Detect
Maximum Detection 7.5+ 2005 and later
Rule Categories: Malware-CNC, Exploit Kit

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Intrusion Policy
You can manually Enable/Disable individual rules or configure actions.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Intrusion Policy
Several ways to search for rules…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Intrusion Policy
Several ways to search for rules…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Network Discovery Policy
• Used to identify which networks Firepower should “learn” from.

• Useful for applications, and especially for maintaining the Firepower Recommended Rules
in the Intrusion Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Intrusion Policy and Network Discovery Policy
Firepower Recommended Rules automatically tunes your Snort rules for the applications,
servers, and hosts on your network.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Access Control Policy
• Traffic must match in the Access Control Policy in order to be Inspected

For a simple IPS

deployment, you can use
the Default Action

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Access Control Policy

In a NGFW deployment, the Default Action

will likely be “Block All Traffic”.
Intrusion Policy needs to be defined for each
Allow Action.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Access Control Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Access Control Policy

If you need, different Allow rules

can have different Intrusion
Policies assigned.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Network Analysis Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Analysis Policy

What is this?
Do I need to do anything here?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and
determines things such as:
o Fragmentation Reassembly
o Protocol Compliance

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network Analysis Policy
• The Network Analysis Policy (NAP) controls the Preprocessors, and
determines things such as:
o Fragmentation Reassembly
o Protocol Compliance

“What should we tune?”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network Analysis Policy

Security

Usability

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Analysis Policy

Usability

Security

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Network Analysis Policy
• By default, there are no tunable NAP policies. You’ll need to create one.

Create Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Network Analysis Policy
• Give your policy a name.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Network Analysis Policy
• Give your policy a name.

Create and Edit Policy

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Network Analysis Policy
Do these Base Policies look familiar?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Do these Base Policies look familiar?

Besides the name, these Base

Policies have NOTHING in
common with the Intrusion Base
Policies.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Do these Base Policies look familiar?

Besides the name, these Base

Policies have NOTHING in
common with the Intrusion Base
Policies.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network Analysis Policy
Enable/Disable Preprocessors

• Some Preprocessors are

disabled by default:
o Portscan Detection
o Rate-Based Attack
Prevention
o Inline Normalization
• Enable these if you need
them

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Network Analysis Policy
Enable/Disable Preprocessors

• Some Preprocessors are

disabled by default:
o Portscan Detection
o Rate-Based Attack
Prevention
o Inline Normalization
• Enable these if you need
them

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique

If attack is: USER root

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fragmentation
Both IP and TCP can cause a stream of data to break into many parts
Both IP fragmentation and TCP segmentation may be naturally occurring or performed
intentionally to evade IPS
IP fragment reassembly and TCP sequence reconstruction must be applied to mitigate
this evasion technique

If attack is: USER root

TCP: HDR USER HDR root

If attack is: USER root

TCP: HDR USER HDR root

IP: HDR HDR US HDR ER HDR HDR ro HDR ot

If attack is: USER root

TCP: HDR USER HDR root

IP: HDR HDR US HDR ER HDR HDR ro HDR ot

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
How Bad can Fragmentation Get?

IP TCP SMB MSRPC Payload

Packet capture of regular attack is ~4k, after

layers of evasion 30MB or more!

Hundreds of thousands of packets

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Network Analysis Policy
Inline Normalization
Tune it? MAYBE
• Disabled by Default
• Enforces Protocol Compliance for TCP
and IP protocols.
• Enabling normalization will block some
non-standard implementations and
many attacks. However, it potentially
can block poorly-written legitimate
traffic.
• How Risk-Averse are you?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Network Analysis Policy
TCP Stream
Tune it? YES
• Unless you are deploying IPS into a
segment containing ONLY Windows hosts,
you absolutely should tune this.
• TCP Stream determines how fragmented
TCP traffic is reassembled.
• Different operating systems handle
reassembly differently, and it is critical that
your IPS understands the hosts.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Network Analysis Policy
UDP Stream
Tune it? Probably Not
• Not much to tune.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Network Analysis Policy
IP Defragmentation

Tune it? YES

• Similar reason as TCP Stream.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control
Policy -> Advanced Tab

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Access Control Policy – Advanced Settings
Don’t forget to select the Network Analysis Policy from the Access Control
Policy -> Advanced Tab
If you need to use multiple Network Analysis Policies
(maybe some networks have Windows servers, and
another has Linux, for example), you can create Rules to
perform the mapping.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…

• This allows you to use Impact Flags for analysis.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Impact Flags
• Remember, we recommend you utilize the Network Discovery Policy…

• This allows you to use Impact Flags for analysis.

Do you know what

these mean?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Understanding Impact Flags
Intrusion Events Impact Flag

Source / Destination IP

Protocol (TCP/UDP)

Source / Destination Port

Service

Snort ID

IOC: Predefined Impact

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]

Protocol (TCP/UDP) IP Address

User IDs

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0 Event occurred outside
profiled networks

Protocol (TCP/UDP) IP Address

User IDs

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports

3 Relevant port not open or
protocol not in use

Service Client Side Ports

Services

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports

3 Relevant port not open or
protocol not in use

Service Client Side Ports

Relevant port or protocol in
Services
2 use but no vulnerability
mapped

CVE
Snort ID Client / Server Apps

Operating System
IOC: Predefined Impact
Potential Vulnerabilities

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports

3 Relevant port not open or
protocol not in use

Service Client Side Ports

Relevant port or protocol in
Services
2 use but no vulnerability
mapped

CVE
Snort ID Client / Server Apps

Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities

Protocol (TCP/UDP) IP Address

User IDs
4 Previously unseen host
within monitored network

Source / Destination Port Protocols

Server Side Ports

3 Relevant port not open or
protocol not in use

Service Client Side Ports

Relevant port or protocol in
Services
2 use but no vulnerability
mapped

CVE
Snort ID Client / Server Apps

Operating System
1 Host vulnerable to attack or
showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
6.3
Contextual Cross-Launch
• New to Firepower Management Center (FMC) 6.3

• From any relevant event or dashboard, right-click and

launch a query into a different product.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
6.3
Contextual Cross-Launch
Several tools already included

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
6.3
Contextual Cross-Launch
Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Stealthwatch:

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
6.3
Contextual Cross-Launch
Do you have a favorite tool?
• Add your own: Analysis -> Advanced -> Contextual Cross-Launch
• Example for Cisco Tetration:

Note: The URL will

differ according to your
Tetration deployment
and tenant IDs.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
6.3
Contextual Cross-Launch
Stealthwatch Cross-Launch Example

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
6.3
Contextual Cross-Launch
Tetration Cross-Launch Example

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
6.3
Contextual Cross-Launch
Tetration Cross-Launch Example

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Snort Rules
Firepower uses Snort Rules for Intrusion Prevention.

Cisco provides regular rule updates. Most customers deploy these

automatically.

Third-party Snort rules can be added manually through the Rule Editor
(Objects -> Intrusion Rules -> Create Rule), or can be imported.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Snort Rule Editor

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Snort Rules
• Snort Rules are normally created on a single line, with no special
characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed.
All on ONE Line

alert tcp [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Snort Rules
• Snort Rules are normally created on a single line, with no special
characters, and in ASCII or UTF-8 format.
• The Import file can contain many rules as long as they are one rule per-
line.
• Many of the Emerging Threat rules use deprecated syntax (”threshold”
statement). If you are importing ET rules, you’ll need to correct or remove
these rules first. Threshold has been replaced with detection_filter.
• SHOULD not have a rule SID, but is allowed.
All on ONE Line

600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Snort Rules (continued)
• Sometimes it is much more readable to spread the rule across multiple lines. Do this with
the backslash character - \

Example Rule (from Emerging Threats):

alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit, track by_src, seconds 3600, count 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Snort Rules (continued)
• This ET rule has a deprecated keyword – “threshold”, as well as “type limit”, so let’s fix it.

alert tcp \
[43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,\
45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,\
45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,\
49.238.64.0/18,58.14.0.0/15,60.233.0.0/16,61.11.224.0/19] \
any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; \
flags:S; reference:url,www.spamhaus.org/drop/drop.lasso; \
threshold: type limit,
detection_filter: track track by_src,
by_src, seconds
seconds 3600,3600,
count count
1; \ 1; \
classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; \
rev:2690; metadata:affected_product Any, attack_target Any, deployment Perimeter, \
tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2019_01_20;)

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Importing Snort Rules
• Once your Snort rules are in a text file, navigate to Objects -> Intrusion Rules.
• Click on “Import Rules”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Importing Snort Rules
• Click on “Browse” to locate your file, and click “Import”.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Importing Snort Rules

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Importing Snort Rules
• If successful, you will see a screen showing what has been imported.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Enabling Snort Rules
• Remember, all imported rules are Disabled by default. You need to enable
these.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
How do you Exempt Specific Servers from a
Snort Rule?
Options:
1. Look at the rule and see if you can modify the variables in use?
($EXTERNAL_NET and $HOME_NET, for example)
2. Use a different Intrusion Policy for some hosts. This could have memory
or performance impact if overused.
3. Create a Pass Rule –> Probably the Best Option

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Pass Rule Example
Pass Rule
Open the firing rule in the Rule Editor (Objects -> Intrusion Rules)

203.0.113.24

Network
Scanner

Campus

Web
Server
SSH
Server

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Pass Rule
Change Action to “pass”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Pass Rule
Change the Message.
(add “PASS RULE – “ to the beginning)

Add the IP address or variable name

(i.e. $SCANNER_HOSTS) to the source or
destination IP.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Pass Rule
Click “Save as New”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Pass Rule
Finally, Edit the Intrusion Policy, and change the Rule State for your new Local Rule to
“Generate Events”. Save and Deploy the Intrusion Policy.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Snort Restart and Reload Architecture

Prior to Firepower 6.2.2, making the

Intrusion Rule changes just described
would have caused a Snort Restart,
and potentially disrupted network
traffic.

Significant improvements in 6.2.3, and

especially 6.3 software have
dramatically reduced the number of
things that can cause a Snort Restart.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Why does Snort Restart?
• New version of Snort in policy deploy

• Reallocate memory for pre-

processors/Security Intelligence (6.2.x)
• Reload shared objects

• Pre-processor configuration changes

(6.2.x)
• Configured to restart instead of reload

Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Why does Snort Restart?
• New version of Snort in policy deploy

• Reallocate memory for pre-

processors/Security Intelligence (6.2.x) “No” means Snort
will restart every time
• Reload shared objects a policy changes.
• Pre-processor configuration changes
(6.2.x)
• Configured to restart instead of reload

Cisco.com info on 6.2.3 Restart Conditions: http://cs.co/9006DcfbG

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Why does Snort Restart?
6.2.3 and later warns if any configuration change will interrupt inspection
(restart Snort):

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Mitigations

Snort Preserve-Connection
1 (6.2.0 / 6.2.3 introduction)

2 Software Bypass

3 Upgrade to Firepower 6.3

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Snort Preserve-Connection
• When Snort goes down, connections with Allow verdict are preserved
in LINA
• Snort does NOT do a mid-session pickup on preserved flows on
coming up
• Does NOT protect against new flows while Snort is down
• 6.2.0.2/6.2.3 Feature Introduction. Enabled by default in 6.2.3
• Can be enabled/disabled from CLI:
configure snort preserve-connection enable/disable

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Software Bypass
• With inline Fail-Open deployments traffic is passed
uninspected on the Software bridge when Snort is
down.
• When Snort comes up, Snort does a mid-session
pickup on traffic

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Bypass Options
Software Bypass Enable traffic, uninspected, when Snort is down or busy.

Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of

power.

Automatic Application Bypass Restarts Snort processes upon degraded performance

Intelligent Application Bypass Application-specific acceleration of defined applications if

performance is degraded
Trust Rules Accelerate defined traffic but still apply Security
Intelligence

Prefilter Policy Bypass deep inspection and Security Intelligence based

on Port / Protocol / IP Address / Zone

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Software Bypass

Software Bypass is only available in Inline Pairing mode or

ASA with Firepower Services.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Fail to Wire Interfaces

Fail-to-wire Fail-to-Wire interfaces allow for pass-through

of traffic in case of appliance failure or loss of
NetMod
power.
• FP-9300
• FP-4100
• FP-2100 (requires 6.3)
• FP-7000, 7100, 8100, 8200, and 8300

Fail-to-Wire requires:
Inline Set, Inline Pair, or Inline Tap deployment.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Automatic Application Bypass (AAB)
Detects Snort failures or degraded performance and triggers a restart of the
impacted Snort process. First available in FTD in 6.2.2.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File
and IPS inspection, which accelerates it through the appliance. Basing the
rule on Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds are still applied to Trust rules.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Trust Rules
Within the Access Control Policy, defined traffic can be exempted from File
and IPS inspection, which accelerates it through the appliance. Basing the
rule on Source/Destination Port and IP addresses is most effective.
Security Intelligence feeds are still applied to Trust rules.

On FP-4100/9300 appliances, a Trust rule enables Dynamic Flow Offload on eligible

flows, and handles the traffic on the HW NIC. Not supported on Inline, Inline Tap, or
Passive Interfaces!

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control
Policies. If traffic can be defined by Zone, Network, and Port (similar to an
ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but
Security Intelligence is not applied.

• PreFilter rules require Firepower Threat Defense.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
PreFilter Policy
PreFilter rules are processed prior to Intrusion Prevention or Access Control
Policies. If traffic can be defined by Zone, Network, and Port (similar to an
ASA rule), the traffic can be FastPathed. This is similar to a Trust rule, but
Security Intelligence is not applied.

• PreFilter rules require Firepower Threat Defense.

On FP-4100/9300 appliances, a Fastpath rule enables Static Flow Offload on eligible
flows, and handles the traffic on the HW NIC. Static Flow Offload is not supported on
Inline, Inline Tap, or Passive interfaces.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Intelligent Application Bypass (IAB)
Detects degraded performance within an application. If that application is
trusted, you can configure it to automatically bypass inspection for it, and
accelerate the traffic.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options – Intelligent Application Bypass
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Intelligent Application Bypass
What is IAB?

IAB takes action when a Snort instance is Under Duress if conditions are
met:
1. Is the flow a candidate for bypass?
2. Is this a bypassable application?

If conditions are satisfied, then Firepower will accelerate the flow.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Intelligent Application Bypass
Caveats!

• When IAB works to full capability, the flow under duress is executed the
same as a PreFilter FastPath or ACP Trust rule.
• If the Access Control Policy (ACP) uses IP-based Security Intelligence,
then Snort needs to see the traffic briefly before it is FastPathed.
• If the ACP uses DNS- or URL-based Security Intelligence, then both Snort
and AppID need to see traffic before it is FastPathed. AppID sometimes
takes longer to identify the application, depending on which application it
is.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Configuring Intelligent Application Bypass
Find IAB on the Advanced tab of the Access Control Policy. In 6.2.3, it is on the
bottom left of the page. In 6.3, it is on the top right.

• By default, IAB is disabled.

• With 6.2.3, all fields are blank. No default values.
• With 6.3, default values are entered.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Configuring Intelligent Application Bypass
Set the State to On or Test.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Configuring Intelligent Application Bypass
Set the State to On or Test.

And set the sample period.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Configuring Intelligent Application Bypass
Inspection Performance Thresholds: Is the snort process under duress?

These fields are a Logical OR, and

refer to the Snort process rather
than overall appliance CPU.

• Drop Percentage
• Processor Utilization
• Packet Latency
• Flow Rate

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?
These values are all a Logical OR

Bytes per Flow is “How big is the flow?”

Take AMP max file size under

consideration!

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle

approximately 1Gbps, which is 125,000
kbytes/second.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle

approximately 1Gbps, which is 125,000
kbytes/second.

I disagree with this default value. 250,000 kbytes/second will never trigger on today’s FP or ASA
hardware. A better starting value for most customers is about 40,000 or 50,000 kbytes/second.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuring Intelligent Application Bypass
Flow Bypass Thresholds: Is the flow a candidate to bypass?

Flow Velocity is “Size over time of the flow”

Each snort instance can handle

approximately 1Gbps, which is 125,000
kbytes/second.

45000

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Configuring Intelligent Application Bypass
Define Applications that are Bypassable

May be easier to just allow All Applications

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Monitoring Intelligent Application Bypass
IAB Events appear in Connection Events with reason of “Intelligent App Bypass”

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• IPS Events
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
OpenAppID
Cisco’s Open Source Application Layer Plugin for Snort and Firepower

OpenAppID uses the Lua programming language to identify applications. There are a
number of attributes it can look at, including:

• ASCII or Hex patterns and offset • SSL Organization Unit

• HTTP User Agent • SSL Common Name
• HTTP URL • SIP Server
• HTTP Content Type • SIP User Agent
• SSL Host • RTMP URL Pattern

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
OpenAppID
Most internal Firepower Application Detectors are included in the Snort OpenAppID rules,
including Lua source code.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
OpenAppID within Firepower
Application Detectors

All Application Detectors in

Firepower 6.0+ use
OpenAppID.

Custom Application Detectors

can be created here, as well.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
OpenAppID within Firepower
Basic Application Detector

FMC provides a Wizard for creation

of Basic detectors. Advanced
detectors require you to upload the
Lua file.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
For Your
OpenAppID within Firepower Reference

Advanced Application Detector

If you need an Advanced detector,

you’ll need to write it yourself, or
request one from TAC.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
OpenAppID Example
with Intrusion Policy
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by
automated scripts searching for vulnerable systems, and trying generic
attacks.

Web Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
OpenAppID and the Intrusion Policy
A lot of “noise” is created in the Intrusion Logs of any IDS/IPS product by
automated scripts searching for vulnerable systems, and trying generic
attacks.

Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33

Ports open: tcp/80, tcp/443
Server: apache 2.4.18
Vulnerabilities found: CVE-2016-4979 SSL Bypass
CVE-2016-1546 HTTP2 DOS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
OpenAppID and the Intrusion Policy
An Example

These scans or attacks against your IP addresses may or may not be successfully
blocked by your IPS devices.
They generate noise in your logs.

Question:
Is there a legitimate reason for Internet users to access your server(s) by IP address
instead of FQDN?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.

Web Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
OpenAppID and the Intrusion Policy
An Example
The Goal:
Block all web traffic that targets an IP Address rather than correct hostname. Use
Intrusion Policy to inspect legitimate traffic.

X Web Server

Internet

[blkh4t@wd40 ~]$ hackerw3bscan –v 198.51.100.33

No web server found!

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
OpenAppID and the Intrusion Policy
Creating the Custom Detector
1. From Application Detectors
screen, click the button to
Create Custom Detector.

2. Click the “Add”

button.

3. Complete the
required fields to
name your custom
application.
4. Click OK.

5. Enter the same Name

and Description as
previous step, and
select the Application
you just created from
the pulldown menu.
6. Leave the
Detector_Type as
Basic.
7. Click OK

5. Enter the same Name

and Description as
previous step, and
select the Application
you just created from
the pulldown menu.
6. Leave the
Detector_Type as
Basic.
7. Click OK

This is where we’ll define

what the application
”looks like” to Firepower.

9. Select HTTP from the Protocol pulldown menu,

and URL as Type.
10.Enter your domain name.
11.Click OK.

9. Select HTTP from the Protocol pulldown menu,

and URL as Type.
10.Enter your domain name.
11.Click OK.

12.Repeat the process to add the SSL information.

13.Click OK.

12.Repeat the process to add the SSL information.

13.Click OK.

14.Click on “Save”.

Remember: Basic Detectors

perform an OR operation on the
Detection Patterns.
In this example, any HTTP or HTTPS
connection destined to
*.zenbango.com will trigger the
detector.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
OpenAppID and the Intrusion Policy
Activating the Custom Detector

15.You can find your Application Detector by selecting Custom Type in the
Filters.
16.The new Application Detector will not function until it is Activated by
clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
OpenAppID and the Intrusion Policy
Activating the Custom Detector

WARNING:
15.You can find your Application Detector by selecting Custom Type in the
When you Activate or Deactivate any Detector, it will trigger your appliances
Filters.
in the current domain or child domain to restart Snort. This will potentially
16.The new Application
be disruptive Detector
to your network will not function until it is Activated by
traffic.
clicking on the State slider.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
OpenAppID and the Intrusion Policy
Assigning Custom Detector to Access Control and Intrusion Policy

15.Tie it all together by using an Allow Rule (with Intrusion Policy

assigned) for traffic matching the new application. Block all other
traffic.
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
OpenAppID and the Intrusion Policy
Effectiveness…

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

IP Address: URLs: DNS:

• Attackers • URL Attackers • DNS Attackers

• Bogon • URL Bogon • DNS Bogon
• Bots • URL Bots • DNS Bots
• CnC • URL CnC • DNS CnC
• Cryptomining (NEW) • URL Cryptomining (NEW) • DNS Cryptomining (NEW)
• Dga • URL Dga • DNS Dga
• ExploitKit • URL Exploitkit • DNS Exploitkit
• Malware • URL Malware • DNS Malware
• Open_proxy • URL Open_proxy • DNS Open_proxy
• Open_relay • URL Open_relay • DNS Open_relay
• Phishing • URL Phishing • DNS Phishing
• Response • URL Response • DNS Response
• Spam • URL Spam • DNS Spam
• Suspicious • URL Suspicious • DNS Suspicious
• Tor_exit_node • URL Tor_exit_node • DNS Tor_exit_node

Go to the Appendix for an example on creating a custom Security

Intelligence feed.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Agenda
• Policy Interaction and Firepower Recommendations
• Advanced Tuning Topics
• Importing Snort Rules
• IPS Pass Rule
• Bypass Options
• OpenAppID
• Security Intelligence
• SSL Inspection for IPS

Is your IPS still effective?

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
SSL Inspection
The percentages of TLS/SSL traffic is increasing dramatically. IDS/IPS deployments
need to take this into consideration.
Options to consider:
1. Decryption Offload, passing decrypted traffic to the Sensor

2. Onbox Decryption

Additionally, do you decrypt Inbound, Outbound, or both traffic?

Inbound Traffic
• Traffic is decrypted by installing the Servers’ SSL Certificate and Private Key onto
the FMC
Outbound Traffic
• Traffic is decrypted by installing a wildcard certificate and performing a “man in the
middle attack” against your users’ SSL traffic.

In this session, we will focus only at Inbound.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
SSL Inspection with Known Key
Example
You need both the host’s private key and the .crt file.
Go to Objects -> PKI -> Internal Certs to add the certificate information for
the host.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
SSL Inspection with Known Key
Example
Create an SSL Policy to decrypt traffic with this known key for the associated
host. Once this is complete, add this SSL Policy to the Access Control
Policy.

• Firepower 6.3 enables Hardware Decryption, by default, for SSL/TLS traffic on Firepower
appliances, including the FP-2100.
• Firepower 6.2.3 enabled Hardware Decryption on FP-4100/9300 platforms, but was
disabled by default.
• Performance is dramatically improved over Software Decryption that was previously
performed.

To disable hardware decryption, you can use the following command from the FTD CLI:

FTD 6.2.3: system support ssl-hw-offload disable

FTD 6.3: system support ssl-hw-force-offload-disable

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKSEC-3300

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations

Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com

Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Intelligence
Example
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.

SSH Server

Internet

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
A publicly-exposed SSH Server will be continuously probed for weaknesses, as well
as brute-force login attempts.
Let’s use failed login attempts to build our own SI Feed.

SSH Server

Internet

[blkh4t@wd40 ~]$ ncrack zenbango.com:22

Starting Ncrack 0.5 ( http://ncrack.org ) at 2017-01-09 12:42 PST

Jan 9 15:42:50 SSH Server

www unix_chkpwd[28658]: password check failed for user (root)
Jan 9 15:42:57 www unix_chkpwd[28680]: password check failed for user (root)
Jan 9 15:42:58 www sshd[10692]: Invalid user cypherpunks from 198.51.100.87
Jan 9 15:43:02 www sshd[10693]: Invalid user cdowns from 198.51.100.87
Internet
Jan 9 15:43:25 www unix_chkpwd[28886]: password check failed for user (don)
Jan 9 15:43:25 www unix_chkpwd[28887]: password check failed for user (rich)
Jan 9 15:43:31 www unix_chkpwd[28922]: password check failed for user (gary)
Jan 9 15:44:33 www unix_chkpwd[29302]: password check failed for user (daemon)
Jan 9 15:44:38 www unix_chkpwd[29341]: password check failed for user (kim)
[blkh4t@wd40 ~]$ ncrack zenbango.com:22
Jan 9 15:45:44 www unix_chkpwd[29737]: password check failed for user (operator)
Jan 9 15:45:52 www sshd[10694]: Invalid user dan from 198.51.100.87
Starting Ncrack 0.5 ( http://ncrack.org
Jan 9 15:45:54 )
wwwat 2017-01-09 12:42
unix_chkpwd[29797]: password PST
check failed for user (root)
Jan 9 15:46:02 www unix_chkpwd[29842]: password check failed for user (mail)
Jan 9 15:46:09 www unix_chkpwd[29878]: password check failed for user (nobody)
Jan 9 15:46:31 www unix_chkpwd[30019]: password check failed for user (rich)
Jan 9 15:46:31 www unix_chkpwd[30020]: password check failed for user (don)
Jan 9 15:46:38 www unix_chkpwd[30065]: password check failed for user (gary)

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Security Intelligence Custom Feed
An Example
The Goal:
Create your own Security Intelligence Feed to block hosts that attempt to login to your
SSH Server and fail authentication multiple times.

X Web Server

Internet

SSH Server

1. The first step is to configure your honeypot with the desired services
installed, hardened, and logged.

There are a number of tools available to dynamically block or log

connection/authentication attempts. Two that work well are fail2ban and
denyhosts.

2. In this example, we’re using denyhosts to dynamically block

SSH attempts after 6 failed login attempts.

/etc/denyhosts.conf file (pertinent sections):

SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 6
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
RESET_ON_SUCCESS = yes

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan 31 19:50:17 2017 | ALL: 198.51.100.27
ALL: 198.51.100.27
# DenyHosts: Wed Feb 1 16:57:02 2017 | ALL: 203.0.113.230
ALL: 203.0.113.230

4. Use your favorite scripting language to parse the addresses. This simple
Bash script works:
#! /bin/bash

blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Security Intelligence Custom Feed
Prepare the Target
3. Create a script to parse the blocked IP addresses from denyhost’s log file.
/etc/hosts.deny file looks like this:
# DenyHosts: Thu Jan 26 22:31:28 2017 | ALL: 203.0.113.4
ALL: 203.0.113.4
# DenyHosts: Sat Jan 28 10:58:51 2017 | ALL: 192.0.2.120
ALL: 192.0.2.120
# DenyHosts: Tue Jan 31 09:42:58 2017 | ALL: 198.51.100.3
ALL: 198.51.100.3
# DenyHosts: Tue Jan
ALL: 198.51.100.27 The output file should be in a
31 19:50:17 2017 | ALL: 198.51.100.27

# DenyHosts: Wed Feb

ALL: 203.0.113.230 directory accessible to your web
1 16:57:02 2017 | ALL: 203.0.113.230

server. Consider placing it on a

different
4. Use your favorite scripting language to parse theserver.
addresses. This simple
Bash script works:
#! /bin/bash

blocklist=` cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/sshblock.txt`

5. Generate some SSH traffic, with failed logins, to make sure you are capturing
the addresses. Be careful. denyhosts will by default ban your IP address in
the hosts.deny file. You will need to know how to clear the blocks.
This is a useful site:
http://www.tecmint.com/block-ssh-server-attacks-brute-force-attacks-using-denyhosts/

6. Make sure to run your script (from Step 4) on a regular basis by running a
cron job every few minutes or so.
/var/www/html/sshblock.txt
203.0.113.4
192.0.2.120
One IP Address 198.51.100.3
per line. 198.51.100.27
203.0.113.230
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Security Intelligence Custom Feed
Prepare the Target

7. Verify you can download the file with a web browser. It is a good idea to
host the file on a server reachable internally only, rather than one accessible
to the outside world.

8. On Firepower Management Center (FMC), navigate to Objects -> Security

Intelligence -> Network Lists and Feeds. Click “Add Network Lists and
Feeds” in the upper right corner.

9. Select Feed, and populate the URL information and Update Frequency.

In the current software release, updates are limited to no shorter than

every 30 minutes.
Click Save.

10.In your Access Policy, click the Security Intelligence tab, and add the new
feed to the Blacklist

SSH-Blacklist should be placed here.

11.Verify the blocks are occurring.

Reason for block is SSH-Blacklist

Blocks are protecting ALL hosts –

not just those running Denyhosts
BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Firepower
Traditional Firepower appliances use Firepower software.
Example: FP-7050, FP-7125, FP-8130, FP-8250, FP-8370, Firepower Virtual IPS

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
ASA with Firepower Services
ASA with Firepower Services uses traditional ASA software and a hardware or virtual IPS
module running Firepower software. Often referred to as ASA+SFR.
Example: ASA-5506-X, ASA-5525-X, ASA-5545-X, ASA-5585-X

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Firepower Threat Defense
Firepower Threat Defense (FTD) software combines ASA and Firepower features into a
single software image. This is available on newer Firepower appliances and most ASA-
5500-X models.
Example: ASA-5506-X, ASA-5545-X, FP-2110, FP-4140, FP-9300, NGFWv, but NOT the
ASA-5585-X

VLAN 10

VLAN 20

The appliance will be installed in either

Routed or Transparent mode. This is
a global setting.

Routed: Interfaces belong to different

L3 networks.

Transparent: Interfaces belong to

different L2 networks (different
VLANs).

Passive: A Promiscuous Interface

receives copies of traffic from a SPAN
port or TAP.

Passive interfaces are available

regardless of whether the appliance is
installed in Transparent or Routed mode.

BRKSEC-3300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Inline Pair Mode
Firepower Threat Defense or Firepower
Inline Pair: Traffic passes from one
member interface to another, without
changing either VLAN or L3 network. It
functions as a smart wire.

VLAN 10 VLAN 10 Inline Pairs are available regardless of

whether the appliance is installed in
Transparent or Routed mode.

Interfaces can also be 802.1q trunks.

Inline Set:

A grouping of two or more Inline Pairs.

Inline TAP: Traffic passes from one member

interface to another, without changing either
VLAN or L3 network. As traffic passed, it is
copied to the inspection engine, so traffic
cannot be blocked.

Inline Pairs are available regardless of whether

the appliance is installed in Transparent or
Routed mode.

Asymmetric traffic flows

prevent a security device from
seeing the full traffic flow.

For best results, design your

network to force symmetry.

If you are using Firepower Threat Defense

(FTD) or ASA with Firepower Services
Internet (ASA+SFR), Inter-Chassis Clustering is a
great option.

Clustering enables multiple security

appliances to function as a single device,
and support asymmetric traffic flows, while
also providing N+1 redundancy.

FTD supports Inter-Chassis Clustering in

Firepower 6.3 Backup and Restore FTD Device Configurations Example-1
No ratings yet
Firepower 6.3 Backup and Restore FTD Device Configurations Example-1
4 pages
Cisco SD-Access Workbook
No ratings yet
Cisco SD-Access Workbook
29 pages
CSEC Office Administration June 2015 P2
No ratings yet
CSEC Office Administration June 2015 P2
20 pages
F5 201 Notes
No ratings yet
F5 201 Notes
13 pages
2.21 Dynamo For Civil 3D PDF
No ratings yet
2.21 Dynamo For Civil 3D PDF
1 page
F5 ASM Interview Questions and Answer 1693390853
No ratings yet
F5 ASM Interview Questions and Answer 1693390853
3 pages
LLC Firepower
No ratings yet
LLC Firepower
36 pages
Troubleshooting Tricks and Hints
No ratings yet
Troubleshooting Tricks and Hints
10 pages
Fortigate Ipsec VPN 52 - 2
No ratings yet
Fortigate Ipsec VPN 52 - 2
240 pages
FTD Know How
No ratings yet
FTD Know How
112 pages
F5 ASM Training
No ratings yet
F5 ASM Training
3 pages
F5 LTM Lab Setup in Vmware Workstation:: Vmnet0 Vmnet8 Vmnet1
No ratings yet
F5 LTM Lab Setup in Vmware Workstation:: Vmnet0 Vmnet8 Vmnet1
3 pages
FirePOWER Services For ASA POV Best Practices 1504
No ratings yet
FirePOWER Services For ASA POV Best Practices 1504
66 pages
f5 LTM
No ratings yet
f5 LTM
16 pages
NIOS 8.6.x Documentation
No ratings yet
NIOS 8.6.x Documentation
2,330 pages
CheckPoint End Security
No ratings yet
CheckPoint End Security
2 pages
Firepower FMC PDF
No ratings yet
Firepower FMC PDF
8 pages
EAP Protocol
No ratings yet
EAP Protocol
7 pages
Windows Server 2022 NPS Radius
No ratings yet
Windows Server 2022 NPS Radius
26 pages
BIG-IP Link Controller Implementations
No ratings yet
BIG-IP Link Controller Implementations
80 pages
CP R81.10 Multi-DomainSecurityManagement AdminGuide
No ratings yet
CP R81.10 Multi-DomainSecurityManagement AdminGuide
622 pages
GTM Advanced Topics - v5
No ratings yet
GTM Advanced Topics - v5
11 pages
Getting Started BIG IP Part1 Setup Lab Guide
No ratings yet
Getting Started BIG IP Part1 Setup Lab Guide
17 pages
Sophos XG Firewall - How To Configure SSL VPN Remote Access
No ratings yet
Sophos XG Firewall - How To Configure SSL VPN Remote Access
13 pages
Junos OS Network Management Admin Guide
No ratings yet
Junos OS Network Management Admin Guide
922 pages
Configuring BIG IP ASM ApplicationSecurityManager1
No ratings yet
Configuring BIG IP ASM ApplicationSecurityManager1
7 pages
Checkpoint R80
No ratings yet
Checkpoint R80
122 pages
Troubleshooting BIG-IP Hardware
100% (1)
Troubleshooting BIG-IP Hardware
31 pages
CCNA Security 03
No ratings yet
CCNA Security 03
78 pages
Palo Alto Networks Platforms
No ratings yet
Palo Alto Networks Platforms
8 pages
Cisco ASA and Firepower Threat Defense Reimage Guide
No ratings yet
Cisco ASA and Firepower Threat Defense Reimage Guide
43 pages
Bigip F5 LTM Training Loadbalance: Syllabus Blueprint
No ratings yet
Bigip F5 LTM Training Loadbalance: Syllabus Blueprint
1 page
BIG-IP Command Line Interface Guide
No ratings yet
BIG-IP Command Line Interface Guide
514 pages
Lab 12 Configuring HIP For Global Protect
No ratings yet
Lab 12 Configuring HIP For Global Protect
35 pages
Umbrella Instant v2-2
100% (2)
Umbrella Instant v2-2
43 pages
Destination NAT On Juniper SRX in A Dual ISP Environment
100% (1)
Destination NAT On Juniper SRX in A Dual ISP Environment
13 pages
Cisco Live - Overview of Troubleshooting Tools in Cisco Switches and Routers - BRKARC-2011 PDF
No ratings yet
Cisco Live - Overview of Troubleshooting Tools in Cisco Switches and Routers - BRKARC-2011 PDF
95 pages
201 Certification
No ratings yet
201 Certification
43 pages
Install Guide FirePower Module On Cisco ASA v1.1
100% (1)
Install Guide FirePower Module On Cisco ASA v1.1
22 pages
OSPF Part1 - Study Notes CheatSheet - (Waqas Karim) WK v2
No ratings yet
OSPF Part1 - Study Notes CheatSheet - (Waqas Karim) WK v2
1 page
Radware Installation and Maintenance Guide-Feb-2011
No ratings yet
Radware Installation and Maintenance Guide-Feb-2011
115 pages
PCNSE Exam - Jan2022
No ratings yet
PCNSE Exam - Jan2022
271 pages
Checkpoint - Premium.156 915.80.by - Vceplus.100q
No ratings yet
Checkpoint - Premium.156 915.80.by - Vceplus.100q
47 pages
Checkpoint Packet Flow
No ratings yet
Checkpoint Packet Flow
3 pages
Check Point Firewall Interview Questions
100% (2)
Check Point Firewall Interview Questions
5 pages
F5 Certification Prep Planning To Succeed
100% (1)
F5 Certification Prep Planning To Succeed
29 pages
Pan Os Admin
No ratings yet
Pan Os Admin
6 pages
An Overview of Trend Micro Deep Security Solution Components
No ratings yet
An Overview of Trend Micro Deep Security Solution Components
7 pages
100 F5 Interview Questions
No ratings yet
100 F5 Interview Questions
9 pages
Palo Alto HA-LAB - Self Prepared
100% (1)
Palo Alto HA-LAB - Self Prepared
55 pages
AskF5 - Manual Chapter - About Virtual Servers PDF
No ratings yet
AskF5 - Manual Chapter - About Virtual Servers PDF
10 pages
Configuration Guide For BIG-IP Access Policy Manager
No ratings yet
Configuration Guide For BIG-IP Access Policy Manager
428 pages
F5 201 - Study Guide - TMOS Administration r2
No ratings yet
F5 201 - Study Guide - TMOS Administration r2
108 pages
Checkpoint CCSA by Keith Barker Site To Site VPN
100% (1)
Checkpoint CCSA by Keith Barker Site To Site VPN
41 pages
Firepower NGFW Labpdf PDF
No ratings yet
Firepower NGFW Labpdf PDF
119 pages
Trusted Application Access Playbook: Based On Access Policy Manager (APM)
No ratings yet
Trusted Application Access Playbook: Based On Access Policy Manager (APM)
23 pages
FTD Ips
No ratings yet
FTD Ips
186 pages
Brksec 2050
No ratings yet
Brksec 2050
103 pages
Brksec 2050
No ratings yet
Brksec 2050
115 pages
Brksec 2348 SGT
No ratings yet
Brksec 2348 SGT
159 pages
2020
No ratings yet
2020
267 pages
BRKSEC 31s26
No ratings yet
BRKSEC 31s26
91 pages
McAfee SIEM ESM10 Best Practices For Alarms
No ratings yet
McAfee SIEM ESM10 Best Practices For Alarms
28 pages
Cisco SRA - Chap4
No ratings yet
Cisco SRA - Chap4
42 pages
Introduction To Risk Management
100% (1)
Introduction To Risk Management
44 pages
BYOD Enterprise Security Architecture Master Thesis - Vasileios Samaras
100% (1)
BYOD Enterprise Security Architecture Master Thesis - Vasileios Samaras
106 pages
Octave Framework 1999 v1
No ratings yet
Octave Framework 1999 v1
84 pages
How To Implement NIST Cybersecurity Framework Using ISO 27001
100% (3)
How To Implement NIST Cybersecurity Framework Using ISO 27001
16 pages
Catalogo de Amenazas PDF
No ratings yet
Catalogo de Amenazas PDF
2 pages
SABSA White Paper
No ratings yet
SABSA White Paper
17 pages
Honors - Energy Management in Utility Systems - 2019 Course - 01122021
No ratings yet
Honors - Energy Management in Utility Systems - 2019 Course - 01122021
14 pages
DLL Els Quarter 1 Week 3
No ratings yet
DLL Els Quarter 1 Week 3
3 pages
(Ebook) Cause and Correlation in Biology: A User's Guide To Path Analysis, Structural Equations and Causal Inference by Bill Shipley ISBN 9780521529211, 0521529212 PDF Download
No ratings yet
(Ebook) Cause and Correlation in Biology: A User's Guide To Path Analysis, Structural Equations and Causal Inference by Bill Shipley ISBN 9780521529211, 0521529212 PDF Download
54 pages
Abeya Merga Research
No ratings yet
Abeya Merga Research
45 pages
Qadaqadar PDF
No ratings yet
Qadaqadar PDF
4 pages
Computer Note - Copy (SS3)
No ratings yet
Computer Note - Copy (SS3)
30 pages
CUCOH 2013 Executive Application
No ratings yet
CUCOH 2013 Executive Application
4 pages
MC 10161751 9999
No ratings yet
MC 10161751 9999
3 pages
I Love You - PDF Room
No ratings yet
I Love You - PDF Room
48 pages
MOFP - Families Fabaceae, Brassicaceae, Malvaceae
No ratings yet
MOFP - Families Fabaceae, Brassicaceae, Malvaceae
2 pages
Renal Diseases Pathophysiology
100% (1)
Renal Diseases Pathophysiology
6 pages
7 Key Principles of Apparel Costing - Textile Tutorials
No ratings yet
7 Key Principles of Apparel Costing - Textile Tutorials
2 pages
Understanding Operating Systems 7th Edition by Ida Flynn, Ann McIver McHoes 128509655X 978-1285096551instant Download
100% (4)
Understanding Operating Systems 7th Edition by Ida Flynn, Ann McIver McHoes 128509655X 978-1285096551instant Download
85 pages
Math g1 m2 Full Module
No ratings yet
Math g1 m2 Full Module
379 pages
Fluid Mechanics
No ratings yet
Fluid Mechanics
9 pages
Senior Software Engineer Web Api 11
No ratings yet
Senior Software Engineer Web Api 11
7 pages
Solution Test2
No ratings yet
Solution Test2
6 pages
Characteristics of Effective Technical Communication: Section .1
No ratings yet
Characteristics of Effective Technical Communication: Section .1
23 pages
m2l12 PDF
No ratings yet
m2l12 PDF
8 pages
3) Unemployment and Types of Unemployment
No ratings yet
3) Unemployment and Types of Unemployment
4 pages
African Traditional Religion (ATR)
100% (1)
African Traditional Religion (ATR)
18 pages
Narration Final
100% (2)
Narration Final
28 pages
FEA-Academy Course On-Demand - Practical Basic FEA
No ratings yet
FEA-Academy Course On-Demand - Practical Basic FEA
35 pages
DIVIDENDS
No ratings yet
DIVIDENDS
2 pages
(Ebook) Edexcel A Level Biology Studentbook 1 by Ed Lees ISBN 9781471807343, 1471807347 - Discover The Ebook With All Chapters in Just A Few Seconds
No ratings yet
(Ebook) Edexcel A Level Biology Studentbook 1 by Ed Lees ISBN 9781471807343, 1471807347 - Discover The Ebook With All Chapters in Just A Few Seconds
47 pages
Kirubel
No ratings yet
Kirubel
26 pages
Hybrid Organizations:: O, S, I, I
No ratings yet
Hybrid Organizations:: O, S, I, I
8 pages
Catalogue Mitsubishi 6D24TC
No ratings yet
Catalogue Mitsubishi 6D24TC
2 pages