This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
‎2024-06-10 03:49 PM
In response to Gongya_Yu

The first rule that matches the connection (based on rulebase order) is the one that generally applies.
However, some services/applications can NOT be identified on the first packet (i.e. the TCP SYN).
Consider the following example:

image.png

Let's assume we are making an HTTP connection (port 80) to a given website.
The first packet does not contain enough information to determine which of these rules will ultimately apply as:

  • No files have been transferred yet
  • We don't know what website you are accessing until the HTTP Host header is seen

In this context, all three rules are potential matches.
Since at least one of them has an Accept action, we allow the traffic until we have enough to properly classify the connection.
If we do not receive enough information before the connection ultimately terminates (e.g. TCP FIN/FIN-ACK), you get the  CPNotEnoughDataForRuleMatch message.

In your case, I'm guessing the first rule that "potentially matches" the relevant traffic includes either:

  • Something that is NOT a TCP/UDP Service Object
  • Contains the tracking "Detailed" or "Extended" (these logs activate App Control)
  • Uses Content Awareness (less likely, but possible)

Rules with these characteristics cannot be matched on the first packet.

View solution in original post

(1)
Who rated this post