Configuring Sensitive Data Detection

Because sensitive data detection can have a high impact on the performance of your system, Cisco recommends that you adhere to the following guidelines:

Choose the No Rules Active default policy as your base intrusion policy.
Ensure that the following settings are enabled in the corresponding network analysis policy:
- FTP and Telnet Configuration under Application Layer Preprocessors
- IP Defragmentation and TCP Stream Configuration under Transport/Network Layer Preprocessors.

Before you begin

For classic devices, this procedure requires the Protection or Control license.

Procedure

Step 1

Choose Policies > Access Control > Intrusion

Step 2

Click Snort 2 Version next to the policy you want to edit.

If View ( View button ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 3

Click Advanced Settings in the navigation panel.

Step 4

If Sensitive Data Detection under Specific Threat Detection is disabled, click Enabled.

Step 5

Click Edit ( edit icon ) next to Sensitive Data Detection.

Step 6

You have the following choices:

Modify the global settings as described in Global Sensitive Data Detection Options.
Choose a data type in the Targets section, and modify the data type configuration as described in Individual Sensitive Data Type Options.
If you want to inspect custom sensitive data, create a custom data type; see Custom Sensitive Data Types.

Step 7

Add or remove application protocols to monitor for a data type; see Monitored Application Protocols and Sensitive Data.

Note	To detect sensitive data in FTP traffic: Ensure that the file policy is enabled for the access control policy. You must add the `Ftp data` application protocol.

Step 8

Optionally, to display sensitive data preprocessor rules, click Configure Rules for Sensitive Data Detection.

You can enable or disable any of the listed rules. You can also configure sensitive data rules for any of the other actions available on the Rules page, such as rule suppression, rate-based attack prevention, and so on; see Intrusion Rule Types for more information.

Step 9

To save changes you made in this policy since the last policy commit, click Policy Information in the navigation panel, then click Commit Changes.

If you enable sensitive data preprocessor rules in your policy without enabling sensitive data detection, you are prompted to enable sensitive data detection when you save changes to your policy.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

What to do next

If you want to generate intrusion events, enable Sensitive Data Detection rules 138:2, 138:3, 138:4, 138:5, 138:6, 138:>999999, or 139:1. For more information, see Intrusion Rule States, Global Sensitive Data Detection Options, System-Provided Sensitive Data Types, and Custom Sensitive Data Types.
Deploy configuration changes.