Guide to Creating

Policies
Version 8.0.1
Copyright © 2002–2015 by General Dynamics Fidelis Cybersecurity Solutions, Inc.
All rights reserved worldwide.

Fidelis XPS™, version 8.0.1

Guide to Creating Policies, version 8.0.1

Revised 2015

Users are granted permission to copy and/or distribute this document in its original electronic form
and print copies for personal use. This document cannot be modified or converted to any other
electronic or machine-readable form in whole or in part without prior written approval of General
Dynamics Fidelis Cybersecurity Solutions, Inc.
While we have done our best to ensure that the material found in this document is accurate,
General Dynamics Fidelis Cybersecurity Solutions, Inc. makes no guarantee that the
information contained herein is error free.
Fidelis XPS includes GeoLite data created by MaxMind, available from [Link]

General Dynamics Fidelis Cybersecurity Solutions, Inc.

4416 East West Highway, Suite 310
Bethesda, MD 20814
Table of Contents

Preface............................................................................................................................................................ 1
Intended Audience ....................................................................................................................................... 1
Available Guides .......................................................................................................................................... 1
Technical Support ........................................................................................................................................ 2
Fidelis XPS™ Policy Overview ..................................................................................................................... 3
Insight .......................................................................................................................................................... 3
Custom Policy .............................................................................................................................................. 4
Fingerprints .............................................................................................................................................. 4
Rules ....................................................................................................................................................... 4
Macros ..................................................................................................................................................... 4
Policies .................................................................................................................................................... 4
Assignments ............................................................................................................................................ 4
Primary Rule Actions ................................................................................................................................... 5
Alert ......................................................................................................................................................... 5
Prevent .................................................................................................................................................... 5
Flag Host ................................................................................................................................................. 5
Tag Metadata........................................................................................................................................... 6
Throttle .................................................................................................................................................... 6
Quarantine ............................................................................................................................................... 6
Reroute .................................................................................................................................................... 6
Remove Attachments .............................................................................................................................. 6
MDE Filtered ............................................................................................................................................ 7
Whitelist ................................................................................................................................................... 7
Malware Exception .................................................................................................................................. 7
Secondary Rule Actions .............................................................................................................................. 7
Capture Forensics ................................................................................................................................... 8
Capture Packets ...................................................................................................................................... 8
Email Handling......................................................................................................................................... 8
Understanding the Decoding Tree ............................................................................................................... 8
Context and Content .................................................................................................................................. 10
Parallel Processing .................................................................................................................................... 11
The Impact of Time .................................................................................................................................... 11
Sliding Windows ........................................................................................................................................ 13
Cross-Session Analysis ............................................................................................................................. 13

Fidelis XPS Guide to Creating Policies Table of Contents iii

 Flagged Host ......................................................................................................................................... 14
Collector Analytics ................................................................................................................................. 14
Understanding the Malware Detection Engine ........................................................................................... 15
Alert Processing......................................................................................................................................... 16
Understanding Fidelis XPS Mail Processing .............................................................................................. 17
Chapter 1 Getting Started with Policies..................................................................................................... 18
Fidelis Threat Research Team Policies, Rules, and Fingerprints .............................................................. 19
Policy Tracking .......................................................................................................................................... 19
Naming Policies and Policy Components .................................................................................................. 19
Policy Versions .......................................................................................................................................... 19
Hide Versions ............................................................................................................................................ 20
Display Versions ........................................................................................................................................ 20
Activate a Version .................................................................................................................................. 20
Delete a Version .................................................................................................................................... 21
Policy Wizard ............................................................................................................................................. 21
Create Policies from Fingerprints............................................................................................................... 21
Create Policies from Rule or Policy Edit Pages ......................................................................................... 23
Regular Expressions in Fidelis XPS .......................................................................................................... 24
Character Escaping ................................................................................................................................... 24
Using Regular Expressions ....................................................................................................................... 24
Chapter 2 The Fingerprint Page ................................................................................................................. 25
Access a Fingerprint Page......................................................................................................................... 25
Display Content ......................................................................................................................................... 26
Edit a Fingerprint ....................................................................................................................................... 26
Copy a Fingerprint ..................................................................................................................................... 26
Export a Fingerprint ................................................................................................................................... 27
Delete a Fingerprint ................................................................................................................................... 27
Encrypted Fingerprints............................................................................................................................... 27
Chapter 3 Locations .................................................................................................................................... 28
Location Pages .......................................................................................................................................... 28
Define a Location ....................................................................................................................................... 29
Edit a Location Fingerprint ......................................................................................................................... 29
Define Countries ........................................................................................................................................ 30
Define Directories ...................................................................................................................................... 31
Define Email Feed ..................................................................................................................................... 32
Define Flagged Hosts ................................................................................................................................ 32
Define IP Addresses .................................................................................................................................. 33
Define Reputation ...................................................................................................................................... 35
Reputation Fingerprints and URL Prevention ............................................................................................ 35
Reputation Fingerprints and UDP Prevention ............................................................................................ 35

Fidelis XPS Guide to Creating Policies Table of Contents iv

Chapter 4 Channels ..................................................................................................................................... 37
Channel Parameters .................................................................................................................................. 37
Channel Pages .......................................................................................................................................... 37
Define a Channel Fingerprint ..................................................................................................................... 38
Define Conditions for a Channel Fingerprint .............................................................................................. 39
Define Attributes ........................................................................................................................................ 41
Define Decoding Path ................................................................................................................................ 42
Decoding Path Regular Expression ........................................................................................................... 43
Attribute Value Regular Expression ........................................................................................................... 43
Define Date Attributes................................................................................................................................ 44
Email Recipients ........................................................................................................................................ 45
Edit a Channel Fingerprint ......................................................................................................................... 45
Decoder Attributes for Channels ................................................................................................................ 46
Fidelis XPS Decoders ................................................................................................................................ 46
Protocol Decoder Attributes and Values .................................................................................................... 47
Format Decoder Attributes and Values ...................................................................................................... 60
Attributes for Protocol and Format Decoders............................................................................................. 67
Quality, Encryption String, and Hash Values ............................................................................................. 73
Protocol and Format Decoding Paths ........................................................................................................ 74
Chapter 5 Content........................................................................................................................................ 76
Profiling and Registration........................................................................................................................... 76
Content Pages ........................................................................................................................................... 77
Add a Content Fingerprint.......................................................................................................................... 78
Edit a Content Fingerprint .......................................................................................................................... 78
The General Page ..................................................................................................................................... 79
Binary Profile ............................................................................................................................................. 80
Contrasting Binary Profile with Other Analyzers ........................................................................................ 80
Define Binary Profile .................................................................................................................................. 80
Binary Profile Score ................................................................................................................................... 81
Embedded Images..................................................................................................................................... 81
Define Embedded Images ......................................................................................................................... 81
Embedded Images Score .......................................................................................................................... 83
Encrypted Files .......................................................................................................................................... 83
Define Encrypted Files............................................................................................................................... 83
Encrypted Files Score................................................................................................................................ 83
Exact Content ............................................................................................................................................ 84
Define Exact Content ................................................................................................................................. 84
Exact Content Score .................................................................................................................................. 85
Filenames .................................................................................................................................................. 86
Define Filenames ....................................................................................................................................... 86

Fidelis XPS Guide to Creating Policies Table of Contents v

 Filenames Score ........................................................................................................................................ 86
Filenames Regular Expression .................................................................................................................. 86
File Signature ............................................................................................................................................ 87
Define File Signature ................................................................................................................................. 87
File Signature Score .................................................................................................................................. 87
Understand Identity Profile ........................................................................................................................ 88
Pattern Recognition ................................................................................................................................... 88
Prebuilt Patterns .................................................................................................................................... 88
Customize .............................................................................................................................................. 88
Strictness ............................................................................................................................................... 88
Custom Patterns .................................................................................................................................... 88
Pattern Count ............................................................................................................................................ 89
Frequency Analysis ................................................................................................................................... 89
Expected Distribution ................................................................................................................................. 89
Low Pass Filter .......................................................................................................................................... 90
Using Identity Profile .................................................................................................................................. 90
Define Identity Profile................................................................................................................................. 91
Pattern Regular Expression ....................................................................................................................... 97
Strictness in Identity Profile ....................................................................................................................... 97
Details: Strictness by Pattern ..................................................................................................................... 98
Testing Strictness .................................................................................................................................... 108
Identity Profile Score................................................................................................................................ 108
Keywords ................................................................................................................................................. 109
Define Keywords Manually ...................................................................................................................... 109
Generate Keywords ................................................................................................................................. 110
Keywords Score....................................................................................................................................... 111
Keyword List ............................................................................................................................................ 111
Define Keyword List ................................................................................................................................. 111
Keyword List Score .................................................................................................................................. 113
Keyword Sequence.................................................................................................................................. 113
Define Keyword Sequence Manually ....................................................................................................... 113
Generate Keyword Sequence .................................................................................................................. 114
Keyword Sequence Score ....................................................................................................................... 115
Synonyms for Keywords and Keyword Sequence ................................................................................... 115
Partial Content ......................................................................................................................................... 116
Define Partial Content.............................................................................................................................. 117
Partial Content Score............................................................................................................................... 118
Protocol Signature ................................................................................................................................... 118
Define Protocol Signature ........................................................................................................................ 118
Protocol Signature Score ......................................................................................................................... 120

Fidelis XPS Guide to Creating Policies Table of Contents vi

 Regular Expression ................................................................................................................................. 120
Define Regular Expressions .................................................................................................................... 120
Regular Expression Score ....................................................................................................................... 121
URL Feed in Content ............................................................................................................................... 122
Define URL Feed in Content.................................................................................................................... 122
Content URL Score.................................................................................................................................. 122
YARA Rules ............................................................................................................................................. 123
Test Content Fingerprints ........................................................................................................................ 124
Test Results for Content Fingerprints ...................................................................................................... 124
Basic Test Results ................................................................................................................................... 124
Verbose Test Results .............................................................................................................................. 127
Chapter 6 Fingerprint Macros ................................................................................................................... 135
Define a Fingerprint Macro ...................................................................................................................... 135
Copy a Fingerprint Macro ........................................................................................................................ 136
Delete a Fingerprint Macro ...................................................................................................................... 136
Chapter 7 Rules ......................................................................................................................................... 138
Rule Components .................................................................................................................................... 138
Rules Pages ............................................................................................................................................ 138
Access Rules ........................................................................................................................................... 139
Rules and the Fidelis Policy Feed............................................................................................................ 139
Define a Rule ........................................................................................................................................... 140
Create an Expression .............................................................................................................................. 142
To create a rule expression for a custom rule: ..................................................................................... 143
To modify a rule expression in a Fidelis rule: ....................................................................................... 143
Unsynced Rules................................................................................................................................... 144
Create an Alert Summary ........................................................................................................................ 144
Select a Rule Action ................................................................................................................................ 146
Primary Rule Actions ............................................................................................................................... 146
Alert ..................................................................................................................................................... 146
Prevent ................................................................................................................................................ 147
Flag Host ............................................................................................................................................. 147
Tag Metadata....................................................................................................................................... 147
Throttle ................................................................................................................................................ 147
Quarantine ........................................................................................................................................... 148
Reroute ................................................................................................................................................ 148
Remove Attachments .......................................................................................................................... 148
MDE Filtered ........................................................................................................................................ 148
Whitelist ............................................................................................................................................... 149
Malware Exception .............................................................................................................................. 149
Secondary Rule Actions .......................................................................................................................... 149

Fidelis XPS Guide to Creating Policies Table of Contents vii

 Capture Forensics ............................................................................................................................... 149
Capture Packets .................................................................................................................................. 150
Email Handling..................................................................................................................................... 150
Copy a Rule ............................................................................................................................................. 151
Export a Rule ........................................................................................................................................... 151
Delete a Rule ........................................................................................................................................... 151
Chapter 8 Policies...................................................................................................................................... 152
Policy Operations..................................................................................................................................... 152
Expand Policy Information ....................................................................................................................... 153
Policies Page ........................................................................................................................................... 153
Define a Policy ......................................................................................................................................... 154
Copy a Policy ........................................................................................................................................... 155
Export Policies ......................................................................................................................................... 155
Delete a Policy ......................................................................................................................................... 156
Chapter 9 Assignments............................................................................................................................. 157
Assign a Policy ........................................................................................................................................ 157
Hierarchical Management and Assigning Policies ................................................................................... 158
Export Assigned Policies ......................................................................................................................... 158
View Update Log ..................................................................................................................................... 159
Chapter 10 Insight ..................................................................................................................................... 160
Hierarchical Management and Feeds ...................................................................................................... 160
Feed Config ............................................................................................................................................. 160
Access Feed Config................................................................................................................................. 160
Status Values .......................................................................................................................................... 161
Configure the Fidelis Feed....................................................................................................................... 161
Custom Feeds ......................................................................................................................................... 162
Create the Feed File ................................................................................................................................ 162
Feed Content Types ................................................................................................................................ 162
Field Names ............................................................................................................................................ 163
Format Types .......................................................................................................................................... 164
CSV Format ......................................................................................................................................... 164
XML Format ......................................................................................................................................... 165
URL Wildcards (CSV and XML feed formats) ...................................................................................... 166
IP List................................................................................................................................................... 167
Add and Configure Custom Feeds........................................................................................................... 168
To add a new feed: .............................................................................................................................. 168
To configure the feed: .......................................................................................................................... 168
Hierarchical Management of Feeds ..................................................................................................... 170
IP-to-ID Config ......................................................................................................................................... 170
Access IP-to-ID Config ............................................................................................................................ 170

Fidelis XPS Guide to Creating Policies Table of Contents viii

 Configure IP-to-ID Feeds ......................................................................................................................... 170
Custom IP-to-ID XML File Format............................................................................................................ 171
Test Feed Configuration .......................................................................................................................... 172
Policy Feed .............................................................................................................................................. 173
Policy Update and Policy Assignments to Sensors.................................................................................. 175
Insight Policy Tuning................................................................................................................................ 176
Collector Feed ......................................................................................................................................... 177
Chapter 11 Import ...................................................................................................................................... 179
Appendix A: Best Practices for Policy Creation ..................................................................................... 181
Understanding Policy Operations ............................................................................................................ 181
Using the Fidelis Insight Policy Feed ....................................................................................................... 181
Performance Considerations ................................................................................................................... 182
Binary Profile and YARA ...................................................................................................................... 182
Regular Expressions............................................................................................................................ 183
Channel Attributes ............................................................................................................................... 183
Keyword Lists ...................................................................................................................................... 183
Leverage XPS Decoders and Decoding Paths ........................................................................................ 183
Use Data Transfer Direction to Your Advantage ...................................................................................... 183
Alerts Per Rule Per Session .................................................................................................................... 184
Considerations for Prevention ................................................................................................................. 184
Considerations for Collector Analytics ..................................................................................................... 186
Appendix B: Air Gap License .................................................................................................................. 187
Configuration Required for Air Gap Customers ....................................................................................... 187
Daily Requirements for Air Gap Operations ............................................................................................. 188

Fidelis XPS Guide to Creating Policies Table of Contents ix

Preface
This guide describes the policies, rules, and fingerprints and how to use the Fidelis XPS™
CommandPost GUI to configure these elements to protect your enterprise.
This guide contains the following chapters:
The Overview provides a description of Fidelis XPS policies, policy components, and how to
maximize their performance.
Chapter 1 Getting Started provides an overview of Fidelis XPS policies, rules, and fingerprints.
Chapter 2 describes the fingerprint page.
Chapter 3 describes location fingerprints.
Chapter 4 describes channel fingerprints.
Chapter 5 describes content fingerprints.
Chapter 6 describes fingerprint macros.
Chapter 7 describes rules that contain fingerprints.
Chapter 8 describes the policies that include the rules.
Chapter 9 describes how to assign policies to a sensor.
Chapter 10 describes how to configure Insight options to use threat intelligence from General
Dynamics Fidelis Cybersecurity Systems, Inc..
Chapter 11 describes how to import policies.
Appendix A; describes best practices.
Appendix B: describes how to configure an Air Gap license.

Intended Audience
This guide is intended for security personnel responsible for the creation and enforcement of
policies regarding the security of digital assets, confidential information, and the acceptable use of
computer resources.
The policy manager is expected to be a heavy user of the system during the first weeks after
installation. However, once policies are established and running on a sensor, the policy manager
may probably use Fidelis XPS infrequently.

Available Guides
In addition to this guide, the following are available:
The User Guide describes the CommandPost and how to use it to configure components and
manage alerts. This guide also provides instructions on managing users and their credentials.
The Enterprise Setup and Configuration Guide describes how to set up and configure Fidelis XPS
appliances.
Release Notes are updated with each release to provide information about new features, major
changes, and bugs corrected.

Fidelis XPS Guide to Creating Policies 1

Technical Support
For all technical support related to this product, check with your site administrator to determine
support contract details. Contact your reseller or if you have a direct support contract, contact the
General Dynamics Fidelis Cybersecurity Solutions support team at:
Phone: +1 301.652.7190*
Toll-free in the US: 1.800.652.4020*
*Use the customer support option.
Email: support@[Link]
Web: [Link]

Fidelis XPS Guide to Creating Policies 2

Fidelis XPS™ Policy Overview
Fidelis XPS sensors operate under the direction of policies. The policies may come from Fidelis in
the form of the Fidelis Insight Policy feed or may be created by a CommandPost administrator with
a proper role. The administrator may create policies by copying or modifying the Fidelis Insight
policies or by creating them from scratch. This section will cover the information required to
understand the operation of Fidelis XPS sensors to help the policy writer develop effective policies.
This Overview is comprised of the following sections:

• Insight describes the intelligence provided by Fidelis.

• Custom Policy provides a description of the components of a policy: policy, rules,
fingerprints, macros, and assignments.
• Understanding the Decoding Tree provides information about how the Fidelis XPS
sensors decode and analyze network traffic. This information should be understood by the
policy writer in order to create effective and efficient policies.
• Understanding the Malware Detection Engine provides information about the MDE. This
information should be understood by the policy writer in order to avoid duplication of effort,
regarding malware detection.
• Alert Processing describes the storage of alert and session data.
• Policy Best Practices provides advice to the policy writer.

Insight
Fidelis provides threat intelligence, which is available for your use. Insight comes in four forms:

• Feeds: Provides streaming data of IP addresses, URLs, Domains, Email addresses, and
MD5 file hashes. The data is applied to rules within the Policy Feed to detect malicious
activity on your network. Custom feeds can be created to provide data to custom policies.
Custom feeds can be dynamic feeds or one-time manual uploads of data.
• IP-to-ID: Provides mapping between IP addresses and user identification. This mapping
must be configured and provided within your network. If available, IP-to-ID can greatly
enrich alert data and can be used to set policy based on your Active Directory or LDAP
settings.
• Policy Feed: Provides threat intelligence in the form of policies from Fidelis. You may
choose to subscribe to any or all of the available policies. The policies are updates as
necessary by Fidelis as a result of the research that is published at [Link]
• Collector Feed: Each day, new data is added to the streaming feeds. On a daily basis,
MD5 file hashes can be searched retroactively through your Collector data to generate
alerts. For example, malware may have crossed your network yesterday, undetected as
malware. However, new intelligence available today has determined the file to be malicious.
If you have Fidelis XPS Collector and enable the Collector Feed, you will see an alert. In
most cases, where the original malware download is detected in real time Collector will not
generate a duplicate alert even if the hash is later streamed through a feed.
For details about Insight configuration, refer to Insight.
Note: The policy feed relies on the collection of statistics from Fidelis customers that
use the feed. Based on the returned data, Fidelis researchers can tune these policies
for maximum efficiency. When you enable the policy feed, you must also agree to
provide statistical data to Fidelis.

Fidelis XPS Guide to Creating Policies 3

Custom Policy
Policies can be created to detect and react to any network activity. The policy development process
begins with the creation of fingerprints, then rules, policies, and assignments. The Policy Wizard
can be used to guide you through the process.

Fi n g er p ri nts
Fingerprints are the most basic component. Over twenty fingerprint types are available, which are
grouped by content, channel, and location. Fingerprints are used to define an aspect of behavior,
but do not indicate goodness or badness.
Content fingerprints are used to detect the data within a data transmission. This may be a file, the
body of an email message, a chat message, or any other format that may be used to transmit text
or binary data. Fidelis XPS sensors will iterate through content formatting to reveal the embedded
text or binary. This allows the sensor to reveal content that may be buried in many layers of
encapsulations, such as Zip, embedded files, Mime, Base64 encoding, and many [Link] to
Content for details.
Location fingerprints are used to detect the source or destination of a data transmission. The
source or destination may be described by an IP address, the contents of a feed, user attributes
extracted from Active Directory or LDAP, an email address, a country, or a flagged host. Refer to
Locations for details.
Channel fingerprints refer to all other aspects of the network communication. This includes the
application protocol, the application, the file format, and all attributes of the exchange including all
protocol and file attributes, the time of day, and the duration of the communication. Refer to
Channels for details.

R ul e s
Rules provide instructions to Fidelis XPS sensors. They provide a logical expression of fingerprints
and describe the reaction when violating network traffic is discovered. The rule also provides
instructions for the representation of the violation in an alert by describing the severity, summary,
and initial alert management group for any alert generated by the rule. Refer to Rules for details.
The rule, as expressed by fingerprints, can be described as
Generate ACTION if CONTENT is detected over CHANNEL coming from (or to) LOCATION

M a cr o s
Macros provide a short hand for use in a rule. A macro is a logical combination of similar
fingerprints (content, channel, location). If the policy writer finds that a certain logical combination of
fingerprints is required in many rules, a macro can reduce the burden on the creation and
maintenance of the rule. Refer to macros for details.

P ol i ci es
A policy is a collection of rules. The choice of rules to group together into a single policy is left to
the policy writer.
A whitelist is a special purpose rule used to be an exception to every rule within a policy.

A ssi g n me n ts
A policy does not take effect until it is assigned to a sensor. Until it is assigned, it is left as a work in
progress on CommandPost. Once policies are assigned to sensors, the sensor must be updated to
begin working with the new policies.
Sensor update is left as a manual process to be triggered when the policy writer deems that a
policy is ready for deployment.

Fidelis XPS Guide to Creating Policies 4

Primary Rule Actions
When a rule violation is detected, the Fidelis XPS sensor will react by performing the action
specified in the rule. Alert may be the only action taken or can be combined with one other primary
action. All other actions in this section are mutually exclusive.

A l e rt
Alert is the only primary action that can be combined with other primary actions. When an alert
action is taken, alert information is collected by the sensor and sent to CommandPost for storage.
The alert data is first encrypted and held in a temporary spool file on the sensor disk.
Communication to CommandPost is performed over an encrypted channel.
Alert information and forensic data is created and sent to CommandPost immediately following the
detection of a rule violation. The sensor will continue to record the session and analyze it for other
rule violations. When the session is complete, the recorded session data is sent to CommandPost.
Depending on the network protocol, the recorded session may arrive at CommandPost several
minutes after the alert data. A recorded session refers to network data captured by Fidelis XPS
Direct and Internal sensors. Fidelis XPS Mail and Web sensors operate on objects and refer to the
recorded object. The object for Fidelis XPS Mail is an email message, including all attachments.
The object for Fidelis XPS Web is the ICAP message received from a third party proxy.
Note: Recorded session data and objects will not be available if the rule action
included Prevent. In this case, the session is not recorded and no session data is sent
to CommandPost. Similarly, if a rule disables Capture Forensics, all alerts generated
by any rule on the violating network session, will lack a recorded session or object.
Alert information is available at the CommandPost and is accessible at the Alerts page. At this
page, you can filter which alerts display, search for specific alert attributes, and research details
about alerts. Refer to Understand and Manage Alerts. Information about each alert is available at
Alert Details.
Refer to chapter 4 of the User Guide.

Pr ev e nt
Prevent prevents the data transmission and takes action depending on the sensor type and how
the sensor is configured.
For a Direct or Internal sensor, the Prevent action is determined by how the sensor is configured:

• In out-of-band mode with TCP Reset enabled: the sensor issues TCP reset packets to kill
the session. If TCP Reset is disabled: the prevent action has no effect. UDP sessions
cannot be prevented and no action is taken.
• In inline mode the sensor drops all incoming packets for the remainder of the TCP session.
If TCP Resets are enabled, the sensor will also issue reset packets to the appropriate
endpoint to more efficiently terminate the session. UDP sessions can be prevented when
inline for certain rules. For Direct and Internal sensors, prevention cannot be guaranteed.
Refer to Considerations for Prevention.
For a Web sensor, the end user is redirected to the provided URL. If no URL is provided, the user
will receive an HTTP Error 403 message. Details about these actions are carried out by the third
party proxy in your network.
For a Mail sensor, the email message will not be accepted. This will cause the sending Mail
Transfer Agent (MTA) to notify the email sender that the message was not delivered. This
notification is delivered by the enterprise email environment, not by Fidelis XPS sensors. For a
more user-friendly approach to email, consider the Quarantine action instead of Prevent.

Fl a g H os t
Fidelis XPS sensors can flag IP addresses for future reference. Whenever Malware is detected, the
IP address of the host is flagged by the Malware Detection Engine. The policy writer can also flag
hosts as the result of any rule violation.

Fidelis XPS Guide to Creating Policies 5

A flagged host can be used in a Location fingerprint to identify IP Addresses that have previously
received malware or violated a rule that flagged the host. Flagged host fingerprints can be used in
other rules to provide context to suspicious network activity.
Refer to Define Flagged Host.

T ag M et a d at a
Fidelis XPS sensors generate metadata for every network transaction, which is sent to a Fidelis
XPS Collector for storage and analysis. Metadata includes a tag, which is the name of the rule that
was violated by the network transaction. Tags are included with metadata for any rule that was
violated regardless of the action.
If you choose the action as tag metadata, the rule name will be included with metadata, but no
other action will be performed by the Fidelis XPS sensor. Therefore, no alert will be generated.
For details about the power of metadata tags, refer to chapter 7 in the User Guide.

T hr ot tl e
Throttle offers the ability to reduce the network bandwidth by identifying applications (such as peer-
to-peer or instant messenger) that may be allowed on the network. Throttle enables you to control
their use and bandwidth by throttling activity to an acceptable level. Throttle is implemented by
randomly dropping packets and manipulating TCP window sizes of offending sessions until the
prescribed bandwidth is reached.
Throttle is only available for Fidelis XPS Direct and Internal sensors in inline mode. Out of band
Direct and Internal sensors, as well as Fidelis XPS Mail and Web sensors, will ignore the throttle
action.

Q u ar a nt i n e
Email is quarantined by a Fidelis XPS Mail sensor when it violates a rule that specifies the action of
quarantine. Quarantined email resides on the Mail queue of the sensor until a quarantine manager
or the sender of the quarantined email take action or until the email expires.
The Mail sensor operates on email messages. Because of the nature of email, the Mail sensor can
analyze an entire email at once, and take action if policy violations are found. Other sensors
operate on data in real time and may create multiple alerts with different actions based on the
violated rules. A Mail sensor will take one action on the message, even in the case where multiple
rules are violated with different actions.
Quarantine is only available on Fidelis XPS Mail sensors. All other sensor types will ignore this
action.
Refer to chapter 5 in the User Guide.

R e ro u t e
The Fidelis XPS Mail sensor reroutes an offending email message by adjusting the To field of the
message. The downstream mail server configured in the sensor’s configuration settings will take
the rerouting action. Reroute is only available on Fidelis XPS Mail sensors. All other sensor types
will ignore this action.
Refer to chapter 5 in the User Guide for more information.

R e m ov e A tt a c h m e nt s
The Fidelis XPS Mail sensor will remove all attachments from the offending email message. A
single text file will be added to the message that provides a message to state that attachments
were removed.
Remove Attachments is only available on Fidelis XPS Mail sensors. All other sensor types will
ignore this action.

Fidelis XPS Guide to Creating Policies 6

MD E Fi l t er e d
The MDE Filtered action can be used to direct objects to the Malware Detection Engine for
analysis. By default, the MDE will automatically analyze all object types that are known to be
malware vectors(including Executables, PDF and Office files that may contain embedded scripts)
and will generate an alert when an object is determined to be malicious.
In some environments, the automatic malware policy may generate too many alerts. There are
typically two reasons for this result:

• Known and acceptable malware transfers on the network. This may include a collection of
samples on the network to or from known hosts or servers, known users on the network that
collaborate on malware samples, known network paths where malware detection is
performed downstream. In these cases, the Malware Exception action should be used. See
below.
• Malware detection that is not relevant to your organization. Because the MDE is operating
on a large variety of files, it may generate alerts on objects that may be blocked by
downstream network appliances. To address this concern, the policy writer can create rules
with the action of MDE Filtered. Any object that meets the rule criteria will be sent to MDE
for analysis. An alert will be generated only if the object is determined to be malicious. If you
choose to write these rules, visit System>Malware>Malware Detection and disable
automatic Malware Policy. This places MDE detection exclusively under the control of the
policy author.
Using the MDE Filtered action is not recommended. Use of Malware Exception rules is highly
recommended if there is a need to omit certain transactions from analysis.

W hi t el i st
A rule with the whitelist action provides an exception to every rule within the policy to which it is
assigned. Consider an example where specified senders and receivers are permitted to transfer
credit card data for legitimate business reasons. You could create a rule that generated an action
for only illegitimate reasons by writing a rule expression such as:
Credit_cards AND NOT (business_sender AND business_receiver)
Now suppose that the exception of business_sender and business_receiver should be applied to
many rules. You can write all of your rules in this fashion or you can create a single rule with the
whitelist action. For the example above, the whitelist rule action would be:
business_sender AND business_receiver
By adding this rule to the policy that included the rule for credit card detection the same effect
would be carried out by the Fidelis XPS sensor.
Use of a whitelist rule can reduce the effort of the policy writer to tune and modify rules when
exceptions are required.

M al w ar e E x c e pt i o n
By default, all objects known to be malware vectors are sent to the Malware Detection Engine for
malware analysis. You may have a need to create exceptions based on the IP addresses or other
attributes involved in the transactions. In these cases, create a rule that uses the Malware
Exception action.
Malware Exception rules should only use Location and Channel fingerprints in the rule expression.
The rule operates by marking the entire session as one to bypass malware detection. Because all
objects are sent to MDE for analysis, this rule must fire before the MDE analysis begins.
Refer to the discussion about Timing Considerations in the Fidelis XPS Policy Overview.

Secondary Rule Actions

When a rule is violated the Fidelis XPS sensor will react by performing the action specified in the
rule. Several other actions may also be configured within the rule.

Fidelis XPS Guide to Creating Policies 7

C a pt u r e F or e ns i cs
After an alert is generated, the Fidelis XPS sensor will continue to record the session until the
session completes or when the maximum configured size is reached. The recorded session is sent
to the CommandPost and stored with the alert. The maximum size is configured at the sensor.
It is possible to disable the session capture by rule. The typical use case for disabling forensics is
when the storage of sensitive or classified data would decommission CommandPost. Before
disabling the capture of forensics, you should understand the ramifications:

• Session capture will not be available for any alert on the same session. Therefore, alerts for
other rules, that enable forensics, may still lack forensics.
Consider three rules, Rule 1, Rule 2, and Rule 3. Rule 1 fires first and generates an alert;.
Rule 2 later generates another alert on the same session and disables forensics; and Rule
3 later generates an alert on the same session. All three alerts will lack a recorded session
even though only one rule disabled forensics. Alerts for Rule 2 and Rule 3 will include no-
forensics in the action. However, Rule 1, which fired first, will lack a recorded session and
will not include a reason.

• PCAP will not be performed for any session marked for no-forensics.
• The Alert details page provides a clickable decoding path allowing you to retrieve all objects
from the path. If the session was not recorded, the decoding path will not be clickable.
By default, all rules enable Capture Forensics. The reasons to disable this capture are very rare.
Fidelis highly recommends that you enable forensics for every rule, unless you have a use case
that warrants the loss of forensic data (for example, capture of classified documents on
CommandPost would decommission CommandPost until the disk is wiped).

C a pt u r e Pa c k e ts
Packets can be captured to a PCAP file. If the action did not include “Alert”, this setting is not
possible. The PCAP will include all packets from the client and/or server for up to ten seconds
before and after the session that caused the alert. If “client and server” is selected, only packets
between the client and server will be recorded.
PCAP files can be quite large. Excessive use may impact how quickly alert data fills the
CommandPost disk and may impact your alert retention.
Note that metadata for all network activity is recorded if you have Fidelis XPS
Collector.

Em ai l H a n dl i n g
Fidelis XPS Mail can take specific actions on email messages based on the rule.

• Notify Sender: Define the body of an email message to deliver to the sender of the violating
email.
• Append Message: Append a message to the body of an email before forwarding it.
• X-header: Append an X-header to the header of the email before forwarding it.
Enable Quarantine User Self-Management: Enable users to manage their quarantined email.
If these actions are detected in a rule by any other sensor type, they are ignored.
Refer to chapter 5 in the User Guide.

Understanding the Decoding Tree

Fidelis XPS sensors are presented with network traffic in the form of packets (Fidelis XPS Direct
and Internal sensors), email messages (Fidelis XPS Mail sensors), or data within ICAP (Fidelis
XPS Web sensors). The sensor will reconstruct this data into a user session, which may represent
a TCP or UDP data session, multiple related TCP sessions, an email message, or proxied network
data. This reconstructed session is decoded to identify the application protocol, the application, and

Fidelis XPS Guide to Creating Policies 8

all content. At each step of the decoding process, all applicable attributes of the application
protocol, the application, and the file are extracted. Refer to the protocol and file format decoder
attributes for details of all extracted attributes.
The extracted attributes provide context to the content that is extracted from the data. These
attributes are collectively referred to a metadata. Together, the metadata and content can be used
to craft policies to detect and manage network threats. The metadata for every network session is
sent from a Fidelis XPS sensor to a Fidelis XPS Collector where it can be retrospectively analyzed.
The diagram below provides an example user session as it proceeds through the decoding
process. We refer to this as the Decoding Tree.

Figure 1. Sample Decoding Tree

This example depicts a web-based email that includes two mime-formatted data sources: the
HTML encoded email body and a ZIP file. The Fidelis XPS decoding process will:

• Determine the application protocol. In this case, HTTP shown in the blue box. The decoder
will extract all relevant metadata from the HTTP header, including URL, User Agent, and
Referrer. Refer to the Protocol Decoder Attributes and Values table for a description of all
application protocols and the extracted metadata.
• Determine the application, if applicable. In this example, the application is webmail shown in
the dark blue box. The decoder will identify the webmail as Gmail, Yahoo, or any other
source. Relevant metadata includes To, From, Subject, and a mode value to indicate if the
email is being sent or read. The table at Protocol Decoder Attributes and Values includes a
description of all applications and extracted metadata.
• Extract all data and iteratively decode all content encoding as far as possible. The green
boxes show examples of data formats including Mime, HTML, Zip, PDF, and JavaScript.
Refer to the Format Decoder Attributes and Values table for a description of all data formats
and extracted metadata.
• This example shows how a single user action of reading or sending an email message can
result in many data transactions. In this case, there are four data transactions, as shown in

Fidelis XPS Guide to Creating Policies 9

 orange boxes. These boxes are the result of all decoding, resulting in text or binary data.
We refer to the orange boxes as the leaves on the decoding tree.
• The decoding path refers to the path from the application protocol to a single leaf of the
tree. In this example, there are four decoding paths.
• Policies can be written to create an alert for any element in any of the decoding paths. The
alert will contain information about the decoding path and all attributes extracted by each
decoder along the path. Every rule within every policy assigned to a sensor may generate
one alert for each decoding path.
Refer to chapter 4 in the User Guide.
• A Fidelis XPS Collector will receive information about each data transaction and all
metadata extracted from each decoder within each decoding path. The example will result
in four transactions with in the Collector data. When viewed in the Metadata details, all
transactions will be displayed as a single network session.
• Any rule violation detected by a sensor will result in the rule name placed as the tag value
within the metadata.
Refer to chapter 7 in the User Guide.

Context and Content

The policy writer can use the information in the decoding path and all extracted attributes to provide
context for informed decisions about the content within a data transaction. The policy writer should
understand the Decoding Tree concept, how individual fingerprints operate within the tree, and the
impact of timing on the analysis. Refer to The Impact of Time.

• Location fingerprints refer to the sender and recipient of a data transaction. Location may
be described as an IP Address, an Active Directory or LDAP user definition, an email
address, a country of origin, a flagged host, or a reputation feed entry. Refer to Locations
for details about location fingerprints.
• In the case of an IP Address, the location is determined before the decoding process
begins. For other types of location fingerprints, the location may not be determined until
after the protocol is known.
• Most content fingerprints operate only on the leaves of the tree (the orange boxes in the
decoding tree illustration ). Some fingerprints operate on text-based data others on binary
data. The threshold value within a fingerprint can be used to determine when enough data
has been analyzed to determine a result. Refer to Content for details about content
fingerprints.
Protocol Signature, Binary Profile and YARA fingerprints are the exceptions and apply to
elements in the decoding tree that are not leaves of the tree.

• Protocol Signature fingerprints can be applied to the protocol (blue box) and
application (dark blue box) layers of the tree. Protocol Signature can be used to
identify and react to protocols that are unknown to Fidelis. It may also be used to
define an unknown protocol based on a regular expression in the network byte
sequence.
• Binary Profile and YARA fingerprints are applied to every layer in the tree. Use of
these fingerprints can lead to severe performance problems if you do not specify which
elements should be analyzed. In many cases, a Channel fingerprint can be used to
examine the attributes extracted by the decoding process instead of creating Binary
Profile or YARA fingerprints to do the same work.
• Channel fingerprints operate against the attributes extracted by the decoders as well as
attributes about the session, including session length, duration, and time of day. Refer to
Channels for details on Channel fingerprints.
The policy writer may create rules that logically combine location, channel, and content fingerprints.
The logic applied to the rule expression may be used to whitelist or blacklist certain events from
analysis. One common form of whitelisting is to use AND NOT logic within an expression. Another

Fidelis XPS Guide to Creating Policies 10

is to create a rule with the Whitelist action. Refer to information about Whitelist in Secondary Rule
Actions.
For example, consider a rule to detect credit card transfers except when the source and destination
are legitimate business needs. A rule may state:
Credit_cards AND NOT (business_sender AND business_receiver)
This expression would rely on a content fingerprint (Credit_cards) and two definitions of legitimate
senders and receivers of credit card data (business_sender and business_receiver). The rule
would fire only when the transaction did not involve legitimate business transfers.

Parallel Processing
The rule expression is a logical combination of fingerprints. However, the order of the rule
expression has no impact on the processing of the fingerprints. All fingerprints of all rules on the
Fidelis XPS sensor are executed in parallel. Consider the example rule:
Credit_cards AND NOT (business_sender AND business_receiver)
This rule contains three fingerprints:

• credit_cards is an example of an Identity Profile content fingerprint. This will match against
credit card numbers detected within any data.
• business_sender and business_receiver could be location or channel fingerprints to identify
a user, URL, server, or other such entity.
The purpose of this rule would be to detect credit card transfers that do not include approved
business senders and receivers of such information.
The rule would be applied to each leaf node of the decoding tree (the orange boxes in Figure 1).
The content fingerprint would analyze the data extracted by the decoding path that lead to the leaf.
The channel and location fingerprints would analyze the attributes extracted by every decoder
within the decoding path. This analysis occurs in parallel with the true/false results applied to the
rule logic to determine the outcome of the rule.
The rule would be applied to every leaf node in parallel as well, subject to the timing aspects
described in The Impact of Time. Each leaf node may violate the rule and would generate a
separate alert.

The Impact of Time

Timing is critical in understanding the decoding tree. The example provided in the Sample
Decoding Tree figure depicts the end of the decoding process after all packets for the session have
been received. However, decoding is performed many times over the lifetime of a session.
Consider the decoding process of the example session after one packet is received by the sensor.
At one packet, the sensor may be able to determine the application, but little else. Consider the
decoding process again after four packets, or ten packets, or twenty. At four packets, the sensor
may determine the application and may have seen the first mime data; at ten it may have seen the
full HTML text, but not the full Zip file; at twenty, it may have seen the PDF file, but not the EXE file.
As new data arrives, decoding is performed based on the data received. The conclusion at one,
four, ten, and twenty packets may lead to different results. Rules will take action immediately upon
detection of a violation. If the rule action states prevention, and analysis has shown a violation at
the fourth packet, prevention begins on the fifth packet. Rules that might detect a violation in
packets 5 and beyond will never have the chance because the session is already marked for
prevention.
When a rule violation is detected, the rule action is triggered immediately. the alert will contain all
of the information about the session known at the time of the alert. If analysis reveals a violation at
the fourth packet, the data in the alert will be limited to those four packets that were used to make
the determination. Unless prevention (or No Forensics) is signaled by some other rule on this
session, the Fidelis XPS sensor will continue to record the session to its conclusion (or the
configured maximum recording size of the sensor is reached) and will later add the recorded
session to the alert data.
Refer to chapter 4 in the User Guide.

Fidelis XPS Guide to Creating Policies 11

Fidelis XPS Mail is the exception with regard to timing. The Fidelis XPS Mail sensor is the only
sensor that will receive all data before performing any analysis. The Fidelis XPS Mail sensor will
generate one response to an email message. All other sensor types may generate one response
per rule per data transaction.
Consider the example rule:
Credit_cards AND NOT (business_sender AND business_receiver)
Timing also plays a critical role in determining how this rule will be evaluated.

• Location and channel fingerprints will not evaluate to TRUE until the required attribute has
been determined by the Fidelis XPS sensor.
An IP Address will be set very early in the decoding process, however other attributes may
not. For example:

• A rule based on URL will not fire until the URL has been determined. If the transaction
did not occur on HTTP, then no URL attribute will be available and the rule will not fire
until the session is complete. This rule will never fire early enough to allow prevention.
To allow for prevention in this example, you can use rule logic to define your
exemption properly. Consider that business_receiver was defined by a certain URL in
the example above. You can create a channel fingerprint that simply looks for the
protocol HTTP and modify the rule to be:

Credit_cards AND NOT (business_sender AND (business_receiver AND HTTP))

This modified example would not fire until a URL was determined, or when the protocol
was determined to be anything other than HTTP. Prevention is now possible.

• The example above about URL and HTTP can be extended to all attributes used by
channel fingerprints. Refer to Protocol Decoder Attributes and Values and Format
Decoder Attributes and Value . If your rule depends on an attribute from a specific
protocol or format decoder, you may want to add logic to the expression is prevention
is the desired outcome.
•Content fingerprints always default to FALSE until enough data is found to determine a TRUE
outcome. The value of enough is determined by the threshold value placed in the
fingerprint. Refer to Content for details on every content decoder and the impact of
threshold.
The default behavior can be changed by selecting Delayed Analysis. When this option is selected,
a value of FALSE cannot be determined until the session is complete. This option will disable
prevention.
Consider an example where the goal is to detect the transfer of social security numbers. However,
your business uses nine-digit numbers for part numbers, which can be easily mistaken for social
security numbers. To remove the part numbers from detection, we can create a content fingerprint
based on keywords or regular expressions that define the file as part numbers rather than social
security numbers. You would create a rule expression for this case as:
Social_security_numbers AND NOT part_number_keywords
The Fidelis XPS sensor is asked to determine that the part number keywords do not exist. This
cannot be determined until the entire file has been seen. Therefore, prevention is not possible.
Perhaps those keywords always appear at the start of the file. Perhaps it is then possible to state
that social security numbers detected, when part number keywords have not already been
detected, are truly files that must be prevented. In this case it may be possible to not set Delayed
Analysis on the part_number_keywords fingerprint and still achieve prevention. The decision of
content fingerprint delay is left to the policy writer, after considering all data required within the
environment as well as the next bullet.

• When reading a file, it is important to understand that what you see is not how the data is
stored within the file. As packets cross the network, the Fidelis XPS sensor works with the
data received and attempts to reconstruct the file as best as possible. However,
assumptions based on the order of data within a file or the proximity of data within a file

Fidelis XPS Guide to Creating Policies 12

 may often be incorrect. Consider the examples below. Note that every file format is different
and these generalizations may or may not apply.
• Headers and footers are typically stored only once within the file. Usually toward the
end of the file. Assumptions about text following a header are typically invalid.
• Data within a table may not be stored near the text surrounding the table within the file.
• Spreadsheets commonly store all values of a column before all values of the next
column.
• There are many tools available to create files. The client software used to create a file
may generate internal storage of a file very differently from another client that
produces the same file format.
When creating content fingerprints, it is rare when the order within a file needs to be considered. If
order appears to matter, thorough testing is recommended.

Sliding Windows
The decoding tree in the Decoding Tree illustration presents an example where the entire session
is examined at once. For many network transmissions, the Fidelis XPS sensor will take a sliding
window approach to the analysis. For example, consider a long running chat session or a download
of an email inbox that contains many messages. During these example sessions, many messages
are exchanged between the user and the server.
The sliding window will concentrate on one message or a group of messages. Analysis will be
performed, metadata will be stored, and the data will be dropped if there was no violation. The data
analysis will continue with the next chunk of data. This process allows the Fidelis XPS sensor to
optimize the analysis by concentrating on smaller chunks of data when possible. Each window will
be 32MB of decoded data or less.
The decision to slide the window is performed by the protocol decoder. The window is determined
by a valid break in the data, for example after a complete chat or email message.
The only evidence of a sliding window will be in the recorded session of an alert. When an alert is
generated based on the second window (or later), the data from the first window will not appear in
the recorded session data. All windows after the alert will be available.
Cross-Session Analysis
The Fidelis XPS sensor will apply policies to the nodes of the decoding tree, as described in the
sections above. The outcome is a rule violation as determined by the content of the node, the
decoding path that led to the node, and the attributes extracted during the decoding process. The
process is a highly optimized, parallel analysis of a data transaction so that prevention is a possible
outcome.
Fidelis policies cannot be applied over multiple sessions, unless the Flagged Host rule action is
used. Refer to flagged host for details. Consider the following sequence of events.

• A network user reads their webmail and downloads a message with many links inside the
content. This action violates a rule that looks for possible phishing attacks. The rule
generates an alert and flags the host, which marks the IP Address for use in other rules.
• The user visits a suspicious URL. This event violates a rule that combines the detection of a
suspicious URL with the flagged host and generates an alert. The rule uses a flagged host
fingerprint so that this event would have not triggered an alert had the IP address not been
flagged by the prior activity.
• Flagged host works on the identification of a host IP Address. The usefulness of this
approach may depend on the length of DHCP IP Address lease used within your
environment.

Cross-Session Analysis
Fidelis offers two methods to identify activity that spans multiple sessions. On a sensor, sessions
can be correlated by using flagged hosts, which relies on internal IP Addresses. The second
method is Collector Analytics, which can be applied to all metadata stored in Fidelis XPS Collector.

Fidelis XPS Guide to Creating Policies 13

Fl a g g e d H ost
The Fidelis XPS sensor will apply policies to the nodes of the decoding tree, as described in the
sections above. The outcome is a rule violation as determined by the content of the leaf, the
decoding path that led to the leaf, and the attributes extracted during the decoding process. The
process a highly optimized, parallel analysis of a data transaction so that prevention is a possible
outcome.
Fidelis policies cannot be applied over multiple sessions, unless the Flagged Host rule action is
used. Refer to Flagged Host for details. Consider the following sequence of events.

• A network user reads their webmail and downloads a message with many links inside the
content. This action violates a rule that looks for possible phishing attacks. The rule
generates an alert and flags the host, which marks the IP Address for use in other rules.
• The user visits a suspicious URL. This event violates a rule that combines the detection of a
suspicious URL with the flagged host and generates an alert. The rule uses a flagged host
fingerprint so that this event would have not triggered an alert had the IP address not been
flagged by the prior activity.
• Flagged host works on the identification of a host IP Address. The usefulness of this
approach may depend on the length of DHCP IP Address lease used within your
environment.
• Flagged Host provides a limited method for identification of one event that may be more
interesting as later events occur. Collector Analytics provide a method for full identification
of network behaviors that span many sessions over time.

C ol l e c t or A n al yti c s
There are many forms of cross-session analysis that cannot be achieved by Fidelis rules. Collector
Analytics can be used to detect network behavior over time.
Refer to chapter 7 in the User Guide.
Collector Analytics comes in two forms:

• Event Rule refers to a network event that occurs repeatedly. For example, consider a user
who accesses secure data. This single event may not be an actionable event, especially
when the user is authorized to access the secure data. However, if the same user access
secure data more than twenty times in a day, then an action may be necessary. Event Rate
analysis of Collector data can be used for this purpose.
• Sequence refers to a series of events that occur over time. Any single event in the
sequence may not be actionable, but recognition of the sequence may require action.
One example would be a phishing attack campaign. If the sequence depends on the
identification of an IP Address, then use of the flagged host rule action may be an
alternative to consider, however, sequence is not limited to the identification of a host IP
address. You may define multiple events that are based on a user name, a protocol, or any
other attribute available within the Collector metadata.
Sequence may also refer to content available in different leafs of the decoding tree. To
use sequence in this manner, you may need to use the Tag Metadata rule action to tag
data without generating an alert. The tags can be applied to Collector Analytics to
generate an alert only when a proper sequence of tags is found.
Refer to chapter 7 in the User Guide.
In either form, the outcome of analytics may be analytic results or alerts. Analytic results
are available for human consumption on a periodic basis. An alert generation is a way to
place the results of analytics into your analyst workflow for action.
Refer to chapter 7 in the User Guide.

Fidelis XPS Guide to Creating Policies 14

Understanding the Malware Detection Engine
The Malware Detection Engine (MDE) uses technology on the sensor and the cloud to determine
whether an object or network communication is malicious. MDE operates based on information
provided from the Fidelis Insight server based on Fidelis threat research and frequent updates are
required.
To understand the operation of MDE, consider the example provided in Decoding Tree illustration.
Specifically, consider the Zip file that contains an executable and a PDF, which includes
JavaScript. The process of malware detection includes:

• Apply real time analysis to the decoded ZIP, executable, PDF and embedded Javascript to
detect malware. The result is an alert where the Rule and Policy names are set to Malware
Detection Engine.
• In case real time analysis doesn’t yield a match, accumulate the entire object. In this case,
a Zip file. No action can be taken until the entire file has been received. Unlike fingerprint
matches, object-analysis in the MDE cannot work on partial files. There is one exception to
this rule, which is described below in the section on Prevention.
• After receiving the file, perform numerous static and dynamic analysis techniques on the file
within the sensor. The majority of malware is detected using this technique. The result is an
alert where the Rule and Policy names are set to Malware Detection Engine.
• If the file has not yet been determined to be malware, several other checks are performed
that use a combination of Fidelis Insight intelligence, feeds, and decoding path information.
The result may be a file determined to be malicious or highly suspicious. Malicious files will
result in a Malware Detection Engine alert.
• Highly suspicious files are sent to CommandPost if Execution Forensics is enabled for
determination. The files are sent to the Fidelis Insight sever for execution within a sandbox.
If sandbox execution determines the file to be malicious an alert is generated, otherwise this
file is discarded and no alert is created.
• Any file that triggers a Malware Detection Engine alert will be sent to the Fidelis Insight
server for sandbox execution if Execution Forensics is enabled. The result of this execution
is available on the alert details page in the Execution Forensics section.
• Whenever a Malware Detection Engine alert is triggered, the host IP address will be
flagged. You can create a location fingerprint to identify hosts that have been flagged for
malware which can be combined with other fingerprints to create effective custom policies.
• If Host Activity is enabled, your endpoint server will be queried for information about the
malicious file. This information will be available in the alert details page in the Host Activity
section. The data available varies based on the capability of the endpoint provider.
• If Carbon Black is installed on your endpoints, it will respond with execution forensics
of the file after it was detonated on the endpoint. When CommandPost receives this
information if will also set the Host Activity flag on the Alerts List page so you may
quickly identify malware that reached the host and was executed.
• If Bit9 is installed on your endpoints, the alert details page will include a link into the
Bit9 console. This link will provide all details about the malicious file detected by Fidelis
XPS within the Bit9 system.
MDE is highly configurable. Refer to chapter 14 in the User Guide.
Examples of configuration include:

• You may choose the file formats that can be submitted for to the Fidelis Insight server
for sandbox execution. By default, all file types supported by the sandbox are
submitted automatically. If you disable certain file types, you may manually submit files
from malware alerts by using the Submit button on the Alert Details page. File types
that are unselected will not be sent to the sandbox for determination.
• You may configure the sensor reaction to malware detection. By default, alerts are
generated and submitted to the default alert management group. You may change

Fidelis XPS Guide to Creating Policies 15

 these settings for each of the four severity values of the detected malware. Fidelis XPS
Direct and Internal sensors can be changed to Alert and Prevent. Fidelis XPS Mail
sensors offer the ability to quarantine, prevent, reroute, remove attachments, append a
message, and append an X-header. Refer to Primary Actions and Secondary Actions
in Rules for details about reactions.
• Malware prevention of Direct and Internal sensors is limited. Text-based files (such as
JavaScript) cannot be limited. The first receipt of a binary file cannot be prevented
since determination requires the entire file. However, known malware samples can be
marked in a proprietary manner for identification and prevention of subsequent
transfers.
• You can disable MDE.
• You can disable Automatic Malware Policy. In this mode, MDE is functional, but will
only operate based on custom rules that use the MDE Filtered rule action.
• You may identify traffic to omit from MDE analysis. This is done by creating a rule with
the malware exception action, assigning it to any policy, and assigning this policy to
your sensor. Refer to MDE.

Alert Processing
The Fidelis XPS sensor processes network traffic as described in Understanding the Decoding
Tree then does:

• If there is a rule violation, take action immediately upon detection.

• Store quarantined email locally on the Mail sensor
• Send session metadata to a Collector
• Record the session and send to CommandPost when complete. If the rule contained the
record packets action, a PCAP file is also sent to CommandPost.
If there is no alert, no metadata for the Collector, no email to quarantine, then nothing is stored.
Alert data and metadata are stored on the sensor disk until it is successfully transported to
CommandPost or Fidelis XPS Collector. If communication to CommandPost or Fidelis XPS
Collector is unavailable, the sensor can hold the data for a short time and will transmit when the
connection is restored. If communication is not restored, the sensor will remove the oldest alerts
and metadata to make space for new data.

Fidelis XPS Guide to Creating Policies 16

Understanding Fidelis XPS Mail Processing
Fidelis XPS Mail is the only sensor that will accumulate an entire email message and analyze the
full message at once. All other sensor types receive streaming data and recursively analyze data
as new information arrives. All other sensors will take one action for each rule that is violated on a
session. Therefore, one user action may result in several alerts of different severity.
Fidelis XPS Mail may encounter multiple rule violations on a single email, but will take one action
for the email. The action of every rule is analyzed and a priority is given to the selection of the
single action applied to the email.

• Prevent has the highest priority. Fidelis XPS Mail implements prevention by not accepting
the email from the upstream MTA. The user who sent the email will receive an
undeliverable email message.
• Quarantine has second priority. Any email that violates one or more rules with the
Quarantine action will be quarantined (unless it also violates one or more rules with the
Prevent action).
• Reroute has third priority. If other actions such as Quarantine or Prevent are detected, they
are taken instead.
• Remove Attachments has fourth priority. If other actions are detected, they are taken
instead.
This priority applies to actions configured for malware and for email actions of rules specified on a
Secondary Policy Manager CommandPost. Refer to chapter 14 in the User Guide.
If multiple rules fire on the same email message, the highest priority action is taken regardless of
the CommandPost from which the rule originated.
In addition, Email Handling actions may be altered when multiple rules or malware is detected in
the same email message.

• Notify Sender: the sender will be notified only if every violated rule specifies the notification
action. The message from each rule will be appended into a single notification. If at least
one rule is configured to not notify the sender, then the sender will not be notified. Note that
sender notification is not an option for malware detected in an email. Therefore, notifications
will never be sent to the malware sender.
• Append Message: The message from each violated rule or malware will be added to the
email body. If the email has violated multiple rules or contains malware of multiple severities
and each has an append message, all the append messages are appended in single email.
• X-Header: The X-header for each violated rule or malware will be inserted into the email
header. If the email has violated multiple rules or contains malware of multiple severities,
and each has an X-header, all X-headers will be inserted.
• Quarantine Self-Management: This feature will be enabled for the quarantined email only
when each violated rule specifies this action. Quarantine Self-Management is not available
for malware violations.
• Quarantine Expiration Action: Select either discard or deliver. When a quarantined email
reaches its expiration date (14 days), it is either discarded or delivered to the intended
recipient. Discard is the higher priority and will be taken unless at least one violated rule
specifies deliver.

Fidelis XPS Guide to Creating Policies 17

Chapter 1 Getting Started with Policies
Fidelis XPS™ detects and prevents advanced cyber threats, and network abuse in real time.
Refer to the Overview chapter in the User Guide.
Fidelis XPS accomplishes this through the use of polices.
A policy is a set of rules that guide business practices within an enterprise. Some examples include
discovering the download of malware, preventing targeted attacks, and preventing transmission of
sensitive information. Some items to remember:

• Policies are comprised of one or more rules.

• Rules are a logical combination of one or more fingerprints.

• Fingerprints describe either the content within a transmission, the communication channel of
the transmission, the sender, or the receiver of the transmission.
The following illustrates basic elements that a rule can contain:
Generate ACTION if CONTENT is detected over CHANNEL coming from (or to) LOCATION
ACTION is the result that occurs if a rule is violated. You can choose one of many actions
1
including: alert , prevent, throttle, quarantine, and reroute. CONTENT, CHANNEL, and LOCATION
are fingerprint definitions.
The Fidelis Threat Research Team regularly delivers updates to the policies through the Insight
Threat Intelligence Feed. For customers that are not connected to Insight, it also publishes policy
packs that contain policies, rules, and fingerprints that you can download from the Fidelis customer
support site.
Each policy pack published by the team is accompanied by documentation that describes how to
best use the policies in your environment.
At a high level, the policy creation process is as follows:

1. Create fingerprints to describe the following:

• The sender or receiver, which can be described as a single IP address, or more commonly,
as a group of addresses representing a location.

• Communication channels that include the network protocol and attributes of the transmission.

• The content within a transmission. Content refers to the unformatted text within a file, an email
message, an Instant Messenger chat session, an upload to a web site, among other
examples.

2. Create rules using one or more fingerprints in a logical expression.

3. Create a policy that includes one or more rules.

4. Assign the policy to one or more sensors.

5. Update sensors to apply the new policy assignments.
The Policy Wizard is available to guide you through the necessary steps to create policies, assign
them to sensors, and update the sensors. Refer to Policy Wizard.
When a rule is violated, a Fidelis XPS sensor notices the violation and performs an action in
response. Before you can write policies, rules, and fingerprints you need to understand how Fidelis
XPS operates.

1
An alert is the recorded and displayed incidence of at least one event.

Fidelis XPS Guide to Creating Policies 18

Fidelis Threat Research Team Policies, Rules, and
Fingerprints
The detection of incoming threat activity within the Enterprise is the focus of the Fidelis Threat
Research team. Because the threat landscape rapidly changes, the threat team regularly delivers
updates to policies through the Insight service.

Policy Tracking
All policies, rules, fingerprints, and fingerprint macro pages have Created and Last Modified dates
and information. These dates and the user information in the Created and Last Modified sections
are assigned by Fidelis XPS cannot be changed directly. Custom policies (and their elements such
as rules, fingerprints, and fingerprint macros) created before you update to Fidelis XPS 6.5 will
have N/A in the Created and Last Modified sections. Once modified, user and date information will
display. New custom policies and policy elements created after update to 6.5 will display Created
information.
Import does not affect policies created by Fidelis XPS but can affect dates and user information for
all other policies and their elements. Refer to Import.

Naming Policies and Policy Components

Names of policies and all policy components must be comprised of ASCII characters.

You can rename custom policies, rules, and fingerprint macros even if they are in use. If a
component is in use, the new name will be in effect for all components. Renaming one version will
rename all versions of a component.

You cannot rename Fidelis or modified Fidelis policies, rules, fingerprint macros, or
fingerprints.
Fingerprints must also be unused to be renamed. Renaming one version of a custom fingerprint will
rename all versions of it.

Policy Versions
All policies and their components (rules, fingerprints, and macros) can have multiple versions The
most recent version of each component is used by the policy engine. Specifically, rules include the
most recent version of fingerprints and macros, macros include the most recent version of
fingerprints, policies include the most recent version of rules, and assignments use the most recent
version of policies.

• Version 0 represents the most recent download of the Fidelis Policy feed. When a new
version of the component is downloaded from the feed server, version 0 will be overwritten
by the new version of the policy component and the old version will be moved to the backup
copy. To enable the Fidelis Policy feed, refer to Policy Feed .
• Version bak represents the backup copy from the Fidelis Policy Feed. When components
change, the system will store the most recent version (as version 0) and a backup copy
(labeled bak)
• NA displays if any component is created before version 6.5.
The version appears in a blue box at the end of the component name. Each save of a
policy, rules, fingerprint, or macro will increase the version number.

Fidelis XPS Guide to Creating Policies 19

Hide Versions
The link indicates the current view of the policy, rule, fingerprint, and macro list
pages. The default is to hide versions.
When versions are hidden, the policy component name displays with the total number of
versions:
If only one version is available, then no version number is listed when versions are hidden.
In this example, we can see that the PCI, PAN rule has 5 versions available.
When versions are hidden, you can edit, copy, export, and purge. You can only export when
versions are hidden.

• The last version of the component is the version available for editing, copying, exporting, or
purging.
• Importing any version of a user component that is currently available on the CommandPost
will add a new version to the existing stack.
When versions are hidden, you can purge and delete components:

• Purge will remove all versions of the policy component except the most recent version and
the latest version from the Fidelis Policy Feed (version 0 if it exists). Purge is used to
manage the number of versions that are saved for any policy component. By default, every
version of every policy component is stored until it is purged.
• The Purge button will be disabled if there are no versions that can be purged.
• Delete will remove every version of the policy component, including the Fidelis Policy Feed.
• The Delete button will be disabled if the policy component is used within the definition of
any version of any component. For example, a fingerprint cannot be deleted if it is used
within any version of a macro or any version of a rule.

Display Versions
Click to hide or display all versions on the policy, rule, fingerprint, and macro list
pages. In our example, If is unchecked, all versions of the rule PCI, PAN are then
listed sequentially:

For fingerprints, you can edit only the most recent version. If you need to use another version, copy
it and assign the copy to a rule and policy.

A c ti v at e a V ersi o n

When versions are shown for policies, rules, fingerprint macros, and fingerprints , the
button displays for each version. Click to create a copy of the version and make it the
highest version number. This is the version that will be used by policy components. Clicking
Activate does not create a new version of any policy or policy component if the component has the
same contents as the highest version

Note: The button is disabled for the highest version of a component. This
button does not display when versions are hidden.

Fidelis XPS Guide to Creating Policies 20

 D el e t e a V er si o n
When versions are shown, you can delete specific versions of any policy component:

• Click the Delete Version button to remove the selected version.

• Version 0 cannot be deleted.
• If a component is the last remaining version it cannot be deleted. For example, the only
version of a fingerprint cannot be deleted.

Policy Wizard
2 3 4
The Policy Wizard can be accessed from from the fingerprint , rule , and policy edit pages.
When executed from the Edit pages in the Policy section of CommandPost,the wizard will first save
your changes, then guide you through the remaining steps of rule creation, policy creation, sensor
assignment, and sensor update. You can use the wizard as a shortcut for existing rules and
policies - modifications can be made on the edit page, then applied directly to the sensor at any
step of the process.

Create Policies from Fingerprints

When you use the wizard from the fingerprint edit pages, the wizard will guide you through five
steps:

1. After making changes to the fingerprint, click Policy Wizard. The first step behaves exactly the
same as the Save Changes button except, after saving the fingerprint, the Policy Wizard will
be launched.
If the fingerprint is currently used by at least one rule, the Update Sensors button will appear.
Click this button to skip to the end of the wizard flow and apply all fingerprint changes to
sensors.
Note: If the rule that uses the fingerprint is not included in a policy that is
currently assigned to a sensor, the Update process will have no effect.
Click Next to continue with the wizard flow. Click Cancel to exit the wizard without making
further changes.

Figure 2. Policy Wizard: Save fingerprint changes

2
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).
3
Fidelis XPS uses rules to determine what are acceptable and unacceptable network data
transmissions. When an unacceptable network data transmission is detected, a rule determines
what action will be taken.
4
A policy is a set of rules that guide business practices within an enterprise. Some examples
include determining acceptable use of network resources, preventing transmission of sensitive
information, and ensuring compliance with privacy laws.

Fidelis XPS Guide to Creating Policies 21

2. Click Next to create a new [Link] fingerprint created or changed in the previous step will
create the expression for your new rule. Choose a name, severity, action, and select Capture
Forensics and Capture Packets as needed.

Figure 3. Policy Wizard: New rule

The Edit Rule option is available to exit the wizard and enter the rule edit page. This can be
done when you need to modify the rule beyond the abilities provided by the wizard. Clicking
Edit Rule saves the rule with your selections and sends you to the rule edit page.
If you do not need to edit the rule, click Next to access the Policy creation page. The rule will
be saved and will be available from Policies>Rules.
Click Done to exit the wizard without creating the new rule. In this case, no changes will be
saved.

3. Add the new rule to an existing policy or create a new policy.

Figure 4. Policy Wizard: Create new or edit and existing policy

If you choose to add the rule to an existing policy, the Update Sensors option displays.
Clicking this button adds the rule to the policy, saves the policy, then skips to the end of the
wizard where all changes are applied to the sensors.
If you need to create a new policy, Click Next to advance the wizard to the assignments
screen. The policy changes are saved and then the wizard advances to the assignments
page.
Click Done to exit the wizard without making policy changes.

4. Assign the policy to sensors. Click Next to advance the wizard, save the assignments, and
send the new assignments to sensors. This step will update all sensors including any
changes that were previously made but not pushed to the sensors.
Click Done to exit the wizard without saving any changes to assignments.

Fidelis XPS Guide to Creating Policies 22

 Figure 5 . Policy Wizard: Assign policy
5. Click Close to exit the wizard.

Create Policies from Rule or Policy Edit Pages

When you start the wizard from the Rule or Policy edit pages, a similar process occurs.

1. Click Policy Wizard from a rule or policy edit page The Policy Wizard saves your changes and
displays the first page of the wizard.

Figure 6. Policy Wizard: Save rule changes

The Update Sensors button will only appear if the Rule is currently used by a policy or if the Policy
is currently assigned to a sensor. Clicking Update Sensors saves all changes applied to the edit
screen then advances directly to the sensor update process.
Click Next to advance the wizard to the next page. Click Cancel to exit the wizard.

2. Subsequent screens will follow the same flow as described in Create Policies from
Fingerprints. At each step, click Next to save the policy or assignments and advance to the
next page..
Click Done to exit the wizard without saving.

Fidelis XPS Guide to Creating Policies 23

Regular Expressions in Fidelis XPS
Several fingerprints use regular expressions to define some aspect of the content or channel.
Fidelis XPS uses the Perl Compatible Regular Expression (PCRE) open source library (written and
copyrighted by Philip Hazel, [Link]) for regular expression analysis. If you are unfamiliar
with regular expressions, refer to PCRE.

Character Escaping
Note that an escape sequence is required to represent characters used for specific meaning by
PCRE, referred to as metacharacters.
The following metacharacters must be escaped: \ | ( ) [ ]{ ^ $ * + ? . For example, to match a period
(.), you must write \. In your expression. Otherwise the PCRE metacharacter will be assumed and
may result in a regular expression compilation error or in unwanted matching.
Fidelis XPS Channel fingerprints also use specific characters which must be escaped: \ and “

• Because PCRE and Fidelis both use the backslash, (\) this character must be double-
escaped. For example, the string \\abc must be entered as \\\\\\\\abc (using four backslashes
to represent one).
• The internal representation of a Channel Attribute and a Channel Decoding Path regular
expression is enclosed in double-quotes, for example, "smtp.” To include a double quote
within an attribute value or decoding path regular expression, you must escape it with a
backslash (\), for example, \"subject\" represents the string subject with beginning and ending
double quote characters. The need to match against double-quotes is rare, but may be
necessary in attribute values.

Using Regular Expressions

When writing a regular expression, the author should understand how meta-characters will be
interpreted by the analyzer. This understanding is based on the method used by the sensor to
extract information before performing the analysis. There are five uses for regular expressions:

• Channel fingerprints based on an attribute use a regular expression for the attribute value.
Each value is a single string, as extracted by the protocol or file format decoder. Examples
5
can be seen on the Alert Details page. Refer to Attribute Value Regular Expression for
examples.
• Channel fingerprints based on the decoding path compare the regular expression to the
internal representation of the decoding path. The internal representation uses colons as a
separator. Refer to Decoding Path Regular Expression for examples.
• Filename Content fingerprints compare a string, containing the name of a file to the regular
expression. Refer to Filename Regular Expression for examples.
• Binary Profile fingerprints can match any binary pattern. For example, any hexadecimal
pattern can be written as a regular expression. Refer to Binary Profile for examples.
• Regular Expression, Identity Profile, and Protocol Signature Content fingerprints compare the
entire extracted text buffer to the regular expressions. This requires an understanding of
PCRE meta-characters. Specifically:

• The $ meta-character matches the end of the buffer. It is a common misunderstanding

that the $ represents the end of a line.
• The \R meta-character can be used to match the end of a line.
• The dot (.) meta-character matches all values except an end of line character. This can
be changed by preceding your expression with (?s).
Refer to Regular Expression and Pattern Regular Expression for examples.

5
Alert Details is the most granular level for examining alert data.

Fidelis XPS Guide to Creating Policies 24

Chapter 2 The Fingerprint Page
The first step in creating a policy is to create fingerprints that describe attributes of network data
transfers in terms of the content, the sender/receiver (location), or the method of transfer (channel).
Viewing and creating fingerprints can be accomplished by using one of the three fingerprint pages
in Policies at the CommandPost GUI. Content, Channels, and Locations will direct you to a
fingerprint page.
Each fingerprint page shows a list of all defined fingerprints for either Content, Channels, or
Locations. When accessed for the first time, the list will be empty. To enable automated policy
downloads, refer to Insight>Policy Feed.

Access a Fingerprint Page

To access a fingerprint page:

1. Click Policies.
2. Click Channels, Locations, or Content.
You can expand a fingerprint by clicking the row. When expanded, other buttons become available.
(Buttons are greyed out for encrypted fingerprints.) The icon indicates that the fingerprint is
used in a component that is assigned to a sensor. Deleting a fingerprint depends on the status of
the .
You can also elect to show or hide unused fingerprints. Unused fingerprints are indicated by a
icon next to the component name.

The indicates the current show or hide status. The default is to show all fingerprints.
Click to hide or to show unused fingerprints.

The indicates the current show or hide status of policy, rule, fingerprint, or
fingerprint macro versions. The default is to hide versions. Refer to Policy Versions for more
information.
You can combine fingerprints into macros to more easily include them in rules.

Fidelis XPS Guide to Creating Policies 25

 Figure 7. The Content Fingerprint page

Display Content
Click Display Content at any selected fingerprint to see a text file representation of the fingerprint.
This information can be used by the advanced user to export, and later import fingerprint
descriptions between CommandPosts. For more information, contact Technical Support.

Edit a Fingerprint
Click Edit for the selected fingerprint to enter the fingerprint edit page. The layout of the edit page is
different for each fingerprint, and is further explained in Locations, Channels, or Content.
Each fingerprint edit page includes a General tab. Click this tab to edit Comments. You can edit the
fingerprint name if the fingerprint is not included in a rule. Other tabs allow you to change the
parameters of the fingerprint.

Copy a Fingerprint
You can copy an existing fingerprint, save it under a new name, and edit as needed. The new
fingerprint includes all properties from the original, except for the date properties, which will reflect
the time and user name that created the copy. The new copy will not be included in any rule. You
can copy each fingerprint multiple times, as long as it is saved under a unique name.
To copy a fingerprint:

1. Click Policies>Content, Policies>Channels, or Policies>Locations as appropriate.

2. Open the row of the fingerprint you wish to Copy.
3. Click Copy. The Copy dialog box displays.
4. Enter a new name in the Save As text box or keep the default name.
5. Enter comments, if needed.
6. Click Save.
7. Click Edit to make any needed changes to the new fingerprint.
8. Assign the new fingerprint to rules as needed.

Fidelis XPS Guide to Creating Policies 26

Export a Fingerprint
If you have Full Policy permissions, you may export a single Fingerprint:

1. Click Policies>Content, Policies>Channels, or Policies>Locations as appropriate.

2. Click the row of the fingerprint you wish to export.
3. Click Export
A compressed tar file with a .tgz extension will be created and transferred to your browser. Your
browser may offer several options based on your browser settings, which may allow you to open or
save the file. If you are not offered these choices, check your browser settings for handling of .tgz
files.
This file will contain the exported fingerprint.
You can now import this fingerprint back to your CommandPost or to another location. Refer to
Import.

Delete a Fingerprint
Deleting a fingerprint depends on the status of the , refer to Policy Versions.
To delete a fingerprint;

1. Click Policies.
2. Click Content, Channels, or Locations.
3. Click the appropriate fingerprint.
4. Click Delete.
5. Click OK at the confirmation dialog box.
The fingerprint is removed from Fidelis XPS.
If you have a hierarchical environment:
From a Master CommandPost, you can use the Global Delete option to delete a policy
or policy components (fingerprints, rules. and macros).
Click Delete and you will be provided with an option to delete locally (only on the
Master CommandPost) or to delete globally (Master CommandPost and all
Subordinates).
Note: On the Subordinate, the policy will be deleted only if it is not assigned to any
sensor (default criteria applicable for deletions). The rule will be deleted if it isn’t
assigned to any policy, fingerprint and macros will be deleted if not assigned to any
rule.

Encrypted Fingerprints
Encrypted fingerprints may be included within the Fidelis Policy feed. These fingerprints include
sensitive data acquired by General Dynamics Fidelis Cybersecurity Solutions or Fidelis partners.
General Dynamics Fidelis Cybersecurity Solutions may distribute the intelligence within these
fingerprints but is contractually forbidden to disclose the contents.
You cannot Copy, Display Content, or Edit Encrypted fingerprints, consequently, these buttons are
greyed out. You can include encrypted fingerprints in fingerprint macros and in rules. Encrypted
fingerprints are also available for Import and Export.

Fidelis XPS Guide to Creating Policies 27

Chapter 3 Locations

A location represents the sender or the receiver of a data transmission. Within Fidelis XPS, a
location is defined by information in your LDAP or Active Directory server, the source and/or
destination IP address, the country in which the IP address is registered, or a dynamic reputation
feed of IP addresses and/or URLs.
A single directory user or IP address may represent an individual user or server (such as a
corporate mail server). A directory group or IP address range may represent a group of people
(such as Human Resources) or a bank of servers (such as authorized Mail servers). The IP
address to country mapping is provided by GeoLite data created by MaxMind. Refer to
[Link] for more information.
The location analyzer that may be used as a white list (allow) or black list (deny) entry in a rule. For
example, it may be permissible for confidential personnel information to be sent by Human
Resources to the corporate medical benefits provider, but to disallow such a transmission to or
from other groups.

Location Pages
You can expand a fingerprint by clicking the row. When expanded, other buttons become available.
(Buttons are greyed out for encrypted fingerprints.) The icon indicates that the fingerprint is
used in a component that is assigned to a sensor. Deleting a fingerprint depends on the status of
the .
You can also elect to show or hide unused fingerprints. Unused fingerprints are indicated by a
icon next to the component name.

The indicates the current show or hide status. The default is to show all fingerprints.
Click to hide or to show unused fingerprints.

The indicates the current show or hide status of policy, rule, fingerprint, or
fingerprint macro versions. The default is to hide versions. Refer to Policy Versions for more
information.
6 7
The fingerprint and fingerprint macro pages can be sorted by any column on a page in either
ascending or descending order.
To do this:
Click the column header to sort by that column.

The or icons display when a column has been sorted. You can only sort by one column at
a time.

6
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).
7
You can combine fingerprints into a macro to make it easier to include two or more fingerprints into
rules. Instead of multiple fingerprints, you can use one macro in a rule.

Fidelis XPS Guide to Creating Policies 28

Define a Location
To define a location:

1. Click Policies>Locations.
2. Click Add or
8
Click the appropriate location fingerprint and click Edit.
3. For a new location, enter a name and comments in the text boxes at the General tab. Names
are required, and must contain valid characters (alphanumeric plus dash and underscore).
Comments are optional and may contain any character including spaces.

4. Select a type – either, Country, Directory, Email Feed, Flagged Hosts, IP Address, or
Reputation and click Save Changes.
If you selected Country as the type, the Countries tab appears after you save. Refer to Define
Countries.
If you selected Directory, the Generate Fingerprint tab appears after you save. Refer to
Define Directories.
If you selected Email Feed, the Feed Source tab appears after you save. Refer to Email
Feed.
If you selected Flagged Hosts as the type, the Contents tab appears after you save. Refer to
Flagged Hosts.
If you selected IP Address as the type, the IP Addresses tab appears after you save. Refer to
Define IP Addresses.
If you selected Reputation, the Reputation tab appears after you save. Refer to Define
Reputation.

5. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Edit a Location Fingerprint

You can edit an existing fingerprint. To do this:

1. Click the appropriate fingerprint and click Edit.

2. You can edit Comments at the General page. You can also change the name if the fingerprint
is not included in a rule.

3. If needed, click the tab specific to each fingerprint to make changes.

4. Click Save Changes .

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

8
A Location fingerprint represents the sender or the receiver of a data transmission. Within Fidelis
XPS, a location is defined by information in your LDAP or Active Directory server, the source and/or
destination IP address, the country in which the IP address is registered, or a dynamic reputation
feed of IP addresses and/or URLs.

Fidelis XPS Guide to Creating Policies 29

Define Countries
A location may be defined by the country in which the IP address has been registered. Location
information can also be customized using Private GeoIP to define the location of private IP
addresses. The mapping of IP addresses is provided by GeoLite data created by MaxMind.
Country names are maintained by ISO 3166 and augmented by special codes provided by
MaxMind. Refer to [Link] CommandPost will periodically update the country
database by downloading data from the Fidelis Insight Server.
To specify countries:

1. Enter information and select the Country Type at the General tab. Refer to Define a Location.
2. Click Countries.

Figure 8. Locations: Countries

3. Use control-click to select multiple countries from the provided list. You can reduce the list by
typing the first few letters of a country name in the text box at the top of the list. As you type,
the list will change. You can restore the list by deleting letters from the box .
The Country List will include any previously specified Private GeoIP locations at the bottom of
the list.
Refer to chapter 13 in the User Guide.
4. To define the country based on the data flow, use the upper portion of the screen and click
Source List, Destination List, or Both Lists. To define the country based on the transport layer
protocol (TCP) use the lower portion of the screen and click Client List, Server List, or Both
Lists. Client and Server lists are only used for matching when TCP is the transport protocol.
Source and Destination are relative to the flow of the content. Client and Server indicates the
TCP protocol client (the initiator of a TCP/IP session initiation) and the server (recipient of a
TCP/IP session initiation). Refer to the Fidelis XPS Policy Overview.
To delete, select one or more countries (using control click) and click .
5. Click Save Changes.

Fidelis XPS Guide to Creating Policies 30

 You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Define Directories
A Directory fingerprint may be defined as either a person or a group listed in your corporate LDAP
server. For example, you can define the Legal or HR departments as Directory fingerprints or you
can specify an individual as a Directory fingerprint.
Before creating this fingerprint, the interface between CommandPost and your directory must be
configured. Refer to chapter 13 in the User Guide.
To create a directory fingerprint:

1. Enter information and select the Directory Type at the General tab. Refer to Define a
Location.
2. Click Generate Fingerprint.

Figure 9. Directory: Generate Fingerprint

3. Enter a base in the text box. Base is the starting point for a search in your directory server
hierarchy.
For example, if you wanted to specify a legal group defined in the LDAP server, your entry for
the base could be cn=legal, dc=mydomain, dc=com . Contact your network administrator for
more details.

Note: CommandPost does not include a Directory Browser function. You can use
your favorite directory browser to define your Base setting and paste it into this
CommandPost page.
4. Enter one or more filters in the text box, as needed. This enables you to filter search results
from those directory entries found at the base.
For example, if you enter “cn=Joe*” in the filter and "cn=legal, dc=mydomain, dc=com" for
base, the server will return records for users whose names begin with Joe in the legal
department.
5. If you have a Network Identity Management system from A10 Networks: Enter a User
Attribute for IP-to-ID user mapping information. This is usually an LDAP attribute that
identifies the user login ID. One example of this attribute could be: samAccountName for an
active directory server. The User Attribute serves as a login ID for the user. IP-to-ID tracks IP
information which is mapped to ID information on the A10 Network server based on the user
attributes entered here.
6. Select direction as either From, To, or Any. Selecting From (To) will match any email or any
IP-to-ID user attribute where the From (To) information matches your base and filter settings.
Selecting Any will look for email or IP-to-ID user attribute information either coming or going
that matches your base and filter settings.
7. Click Test (Optional). CommandPost will retrieve information from your directory server and
display the results that match your base and filter conditions. Records are counted only if
email addresses or LDAP user attributes are available.
Click Verbose (Optional) to use with Test to view all records returned from the server.
In non-verbose mode, Test prints out only a summary line.
Ensure that any limits specified for the LDAP server are large enough to return all the records
for the base/filter combination you plan to specify.

Fidelis XPS Guide to Creating Policies 31

 Note: Clicking Test presents the current directory results. However,
CommandPost will periodically regenerate the fingerprint and download it to all
sensors to which this fingerprint has been assigned. The frequency of fingerprint
re-generation is configured as part of your LDAP or Active Directory settings.
8. Click Save Changes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Define Email Feed

Before you can define an Email Feed, you need to create an Email feed.
To specify a location by Email:

1. Enter information and select the Email Type at the General tab. Refer to Define a Location.
2. Click Feed Source.

Figure 10. Locations: Email Feed

3. Select one or more email protocols to apply your feed.

4. Select a direction, either From or To or select both. To includes all recipients of email,
whether part of the To, CC, or BCC fields.
5. Select one or more Email feeds. For each listed Email feed, the name and description are
displayed. Only feeds defined as Email feeds will display.
You can select any combination of feeds or select all feeds.
6. If needed, click Add Row to add another row of information to the fingerprint. The additional
rows can be used to apply each feed differently. For example, you may want to apply one
feed to the sender (From) for SMTP email, while applying a second feed to the recipient (To)
of webmail. If an Email Feed fingerprint contains multiple rows, a match to any one will
generate an alert.
7. Click Save Changes.

Define Flagged Hosts

The Flagged Host fingerprint can refer to hosts flagged by either malware detection, rules that use
the Alert and Flag Host action, or both.
These flagged hosts can be references in other rules by using the Flagged Host Location
fingerprint. This fingerprint specifies a timeframe during which the flagged host should be
recognized. Flagged hosts can be used to determine secondary actions taken by malware, such as
command and control communication or subsequent actions taken by users that violate any type of
rule. Rules may be written to adjust severity or take a different action when a flagged host is
involved.

Fidelis XPS Guide to Creating Policies 32

 To enable flagged hosts:

1. Enter information and select the Flagged Host Type at the General tab. Refer to Define a
Location.

Figure 11. Locations: Flagged Host

2. Select Malware flagged or Rule flagged or both. You can select both options for the
fingerprint or just one of the options.
Rules that use the Alert and Flag Host action are listed can display next to the Rule flagged
options.
3. Specify a time to recognize the host as compromised. The time is entered as minutes since
the last detection of malware or rule violation. The time limit applies to the fingerprint.
You must specify a time for each selected option: either Malware or Rule flagged.
4. Click Save Changes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Define IP Addresses
The IP Ranges link opens an edit page for defining the location. A location can be defined as either
the sender, the receiver, or as both. Sender and receiver can be defined based on the data flow
(using source and destination) or based on the TCP session initiation (using client and server). In
most use cases, you will define your IP range as either the source or the destination, so that this
fingerprint will match the address of either the sender or the recipient of data.
In some cases, you may want to limit the definition to either source or destination. For example, it
may be permissible for your Human Resources department to receive sensitive data, but not
permissible for them to send the data. In this example, you would define the IP address based on
the destination (Human Resources) and whitelist this destination in your rule.
To specify a location by IP address:

1. Enter information and select the IP Address Type at the General tab. Refer to Define a
Location.
2. Click IP Addresses.

Fidelis XPS Guide to Creating Policies 33

 Figure 12. Locations: IP Addresses

3. Enter IP addresses into the text box. Each line represents a new address or range. The
following are supported:

• CIDR IPv4 addresses such as [Link]

• CIDR IPv4 addresses with subnet mask, such as [Link]/24

• Short form IPv4 addresses as interpreted by UNIX INET formats. For example, 10.8 is
equivalent to [Link]. Subnet masks may be added such as 10.8/24, which is
equivalent to [Link]/24.
• IPv6 addresses with or without a subnet mask, such as [Link] or
[Link]/16
• Short form IPv6 addresses such as fe80::1 or fe::1/16, which are equivalent to the
examples shown above.
• An address range by separating two IP addresses by a dash (-). The address on each
side of the dash must be correctly formatted as explained above. In addition, the address
on the right side of the dash must be greater than the address on the left.
Note: This guide assumes familiarity with IP address notation syntax.

4. To define IP addresses based on the data flow, use the upper portion of the screen and click
Source List, Destination List, or Both Lists. To define IP addresses based on the transport
layer protocol (TCP) use the lower portion of the screen and click Client List, Server List, or
Both Lists. Client and Server lists are only used for matching when TCP is the transport
protocol.
Source and Destination are relative to the flow of the content. Client and Server indicates the
TCP protocol client (the initiator of a TCP/IP session initiation) and the server (recipient of a
TCP/IP session initiation).

Fidelis XPS Guide to Creating Policies 34

 Each line in your text box will be validated for proper syntax. Any errors will be displayed and
the associated lines will remain in the entry box. All valid entries will be copied to the selected
display box.
5. Click Save Changes. Once valid addresses are available in the Source IP or Destination IP
boxes, they may be deleted. Select one or more IP addresses or ranges (using control click)
and click .
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Define Reputation
To specify a location by Reputation:

1. Enter information and select the Reputation Type at the General tab. Refer to Define a
Location.
2. Click Reputation.

Figure 13. Locations: Reputation

3. Select one or more feeds. For each listed feed, the status, feed name, provider, and
description are displayed.
You can select any combination of feeds or select all feeds. Selecting all includes all
configured and enabled feeds for that type in the Reputation fingerprint.
Note: When matching against MD5s in a feed, prevention is not possible.
4. Click Save Changes.

Reputation Fingerprints and URL Prevention

URL prevention is available for sensors working with URL feeds. When an Inline sensor
encounters a URL that matches the feed, prevention is performed by dropping the packet.
To set up a rule to enable URL prevention:

1. Add a Reputation fingerprint as described in the steps above using feeds that contain URLs
of sites.
2. Create a rule with only one URL feed fingerprint in it.
3. Set the rule action to either prevent or to alert and prevent.
4. Assign the rule to a sensor set up in Inline mode. Refer to Sensors>Config>Direct General.
Refer to chapter 13 in the User Guide.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Reputation Fingerprints and UDP Prevention

UDP prevention is available for sensors working with IP feeds. When an Inline sensor encounters
an IP that matches the feed, prevention is performed by dropping the packet.
To set up a rule to enable UDP prevention:

Fidelis XPS Guide to Creating Policies 35

 1. Add a Reputation fingerprint as described in the steps above using feeds that contain IP
addresses.
2. Create a rule with only one IP feed fingerprint in it.
3. Set the rule action to either prevent or to alert and prevent.
4. Assign the rule to a sensor set up in Inline mode. Refer to Sensors>Config>Direct General.
Refer to chapter 13 in the User Guide.
You can also click Policy Wizard to save changes and proceed to the next step in creating and
assigning a policy. Refer to Policy Wizard.

Fidelis XPS Guide to Creating Policies 36

Chapter 4 Channels
Location fingerprints describe the sender and receiver of a data transmission. Content fingerprints
represent the content within the transmission. Channel refers to all other aspects of network
communication including the application protocol, attributes (such as URL, FTP user name, and
social networking application modes of operation), the time of day and day of the week, the length
of the communication, and many other parameters.

Channel Parameters
The channel analyzer generates a fingerprint match based on the following parameters.
• Source port

• Destination port

• Session length

• Day of week

• Time of day

• Session duration

• Application protocol

• Attributes
• Date Attributes

• Decoding path
• Format Type
• Format Data Size
• Email Recipients
Attributes differ per protocol or file format. Refer to Decoder Attributes for Channels for details.
It is important to note that the Fidelis XPS decoder stack splits the data in the transmission into
objects. Refer to for details.

Channel Pages
You can expand a fingerprint by clicking the row. When expanded, other buttons become available.
(Buttons are greyed out for encrypted fingerprints.) The icon indicates that the fingerprint is
used in a component that is assigned to a sensor. Deleting a fingerprint depends on the status of
the .
You can also elect to show or hide unused fingerprints. Unused fingerprints are indicated by a
icon next to the component name.

The indicates the current show or hide status. The default is to show all fingerprints.
Click to hide or to show unused fingerprints.

The indicates the current show or hide status of policy, rule, fingerprint, or
fingerprint macro versions. The default is to hide versions. Refer to Policy Versions for more
information.

Fidelis XPS Guide to Creating Policies 37

 9 10
The fingerprint and fingerprint macro pages can be sorted by any column on a page in either
ascending or descending order.
To do this:
Click the column header to sort by that column.

The or icons display when a column has been sorted. You can only sort by one column at
a time.

Define a Channel Fingerprint

To define a channel fingerprint:

1. Click Policies>Channels.
2. Click Add. The New Component page appears.
3. Enter a name and comments in the text boxes. Names are required, and must contain valid
characters (alphanumeric plus dash and underscore). Comments are optional and may
contain any character including spaces.
4. Click Save Changes. The Conditions link appears.
5. Click the Conditions link. Click Add New to enter conditions. Refer to Define Conditions for a
Channel Fingerprint.
6. Select a parameter. The page changes depending on what is selected.

Figure 14 . Channel fingerprint: parameters

7. Click Add after entering each parameter and its attribute. The attribute displays in the
parameter text box to the right.
8. Click Save Changes. The TRUE if: text box displays the new condition.
9. Repeat until all conditions are added for this channel.

9
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).
10
You can combine fingerprints into a macro to make it easier to include two or more fingerprints
into rules. Instead of multiple fingerprints, you can use one macro in a rule.

Fidelis XPS Guide to Creating Policies 38

Define Conditions for a Channel Fingerprint
A Channel fingerprint is defined by one or more conditions. Conditions can be combined to create
fingerprint clauses.
A condition is a defined element that describes a parameter of the network transmission. For
example, src_port in[>1054] tells the channel analyzer to find transmissions from source port
1055 or greater.
Use Multiple Channel Clauses
A Channel fingerprint may contain multiple clauses to describe the channel condition.
For example, the channel PortsSSH uses two clauses. This channel will be true if the source OR
the destination TCP port number is 22.

Figure 15. Channel with Multiple Clauses

An example rule using this channel clause would be:

SSH AND NOT PortsSSH
This sample rule can be described as “If SSH is found and TCP port is not 22, take Action.” This
rule assumes there is a channel defined as SSH in addition to PortsSSH. This rule would fire if
SSH was found and either the source of the transmission was NOT over TCP port 22 or the
receiver of the transmission was NOT over TCP port 22.
Use Multiple Conditions within One Clause
If a channel definition contains multiple conditions combined in one clause, all conditions must be
present in the data transmission for the channel to evaluate to true. For example, if a clause
contains a condition specifying SSH and times outside of 6 am to 8 pm, then the data transmission
must use SSH and occur outside of 6 am to 8 pm for this channel to evaluate to true. If only one of
the conditions is met, then it will not evaluate to true.

Figure 16. Channel with Multiple Conditions in One Clause

A rule based on this sample would be:

SSH traffic
This sample rule can be described as "SSH traffic occurring outside the hours of 6 am to 8 pm, take
Action.”
Using Clauses

Fidelis XPS Guide to Creating Policies 39

Using clauses offers the ability to logically combine session attributes within a single channel
fingerprint. An alternative is to keep channel definitions simple and use logic within your rule
definition to achieve the same results. Refer to Define Rules for more information.
Define Channel Parameters
Channel parameters and attributes have well defined values within Fidelis XPS. For many
parameters, a text string must be entered into the definition. To be effective, the text string must be
chosen from the possible values defined in this section.
Table 1. Channel parameters

Parameter Entries Ranges

allowed

Source or Enter a port number. Refer to Note 1. yes

Destination
Note: Source and Destination are relative to the flow of
port
the content. Refer to the Fidelis XPS Policy Overview.

Client or Enter a port [Link] to Note 1. Yes

Server port
Note: Client or server indicates the flow of data between
the client or the initiator of a TCP/IP or UDP/IP
transaction and the server or recipient of a TCP/IP or
UDP/IP transaction. Refer to Fidelis XPS Policy
Overview.

Session length Enter a number for the allowed session length. Select either K for yes
Kilobytes or M for Megabytes. Refer to Note 1.
Day of week Select days by clicking appropriate check boxes. no
Time of day Enter the hour, minute, and second as needed. Refer to Note 2. yes
Session Enter values for days, hours, minutes, and seconds as needed. yes
duration Refer to Note 2.
Application Select an application protocol from the list. n/a
protocol
Attributes Select Label, then a Parameter and a Value. Only one must be n/a
entered, the others may be left empty to form a wildcard. Refer to
Define Attributes and Note 3 for more information.
Date Attributes Select Date Attributes to compare the dates extracted from files yes
to an absolute date or a date relative to the sensor’s current time.
Refer to Format Decoder Attributes and Values for a complete list
of available date attributes. Refer to Define Date Attributes for
information about comparing dates.
Decoding path Enter a regular expression into the decoding path text box to n/a
create alerts for sessions that contain a specific string or
combination of strings within the decoding path. The fingerprint
match is done by regular expression.
Refer to Fidelis XPS Policy Overview and Note 3.
Format Type Select a data format type from the list. Refer to Format Decoder n/a
Attributes and Values for a complete list.
Format Data Enter a format data size in the text box. Select either K for no
Size kilobytes or M for megabytes. The fingerprint will search for the
format data size that is greater than the size specified.
Email Select Email Recipients to check recipient email addresses n/a
Recipients against a fingerprint. Select in or not in and make an entry in the

Fidelis XPS Guide to Creating Policies 40

Parameter Entries Ranges
allowed

text box. An example of a valid entry would include a domain

name such as [Link] or [Link]. Email Recipients
checks against email protocols including SMTP and IMAP4
protocols. Refer to Email Recipients.

Notes about parameter entry:

1. Ports and Session length:
To specify a single entry: enter the same number in both boxes. For example to set a
condition for source port 80, enter 80 into both boxes.
To specify a value greater than a specific entry: enter a number in the left text box only.
Click Add. The number displays with the > sign.
To specify a value less than a specific entry: enter a number in the right text box only.
Click Add. The number displays with the < sign.
Enter the appropriate numbers in both text boxes to specify a range. The value entered in
the left text box should be less than when is entered in the right text box or an error will
occur.
2. Time of day and session duration:
To specify a range: enter the appropriate numbers in both text boxes. The value in the
right box must be greater than the number in the left box, or an error will be generated
when Save Changes is clicked.
3. Attributes and Decoding Path offer text boxes to enter strings. Regular expression syntax
is supported within these strings. Refer to Attribute Value Regular Expression and
Decoding Path Regular Expression.

Define Attributes
Attributes allow you to define a Channel fingerprint by matching specific parameters extracted by
the Fidelis XPS decoding software. For example, you can specify From, To, and Subject
parameters for email protocols such as IMAP4, AOLMAIL, or YAHOOMAIL.

• Label is the name of a Fidelis XPS decoder. Refer to the decoder name columns in Protocol
Decoders and Format Decoders.

• Parameter is the name of the attribute to match. For example, the From attribute in an email.
Refer to the attribute strings column in Protocol Decoders and Format Decoders. The values
available in the Parameter list will change if Label is selected. In this case, the list will only
show those attributes extracted by the selected Label.

• Value is the value of this parameter, entered as a regular expression. Some parameters
return specific strings defined by Fidelis XPS decoding software.
Value is processed using a regular expression match. Refer to Regular Expressions in Fidelis XPS
for more information.
If label, parameter, or value is left empty, the search engine will treat them as wildcards and match
any label, parameter, or value. The use of wildcards allows for flexible condition definition, for
example:

• To find all email generated by a certain user, choose the From parameter, enter the email
address of the user and leave label empty. This will match email coming from SMTP,
AOLMAIL, YAHOOMAIL, and any other protocol that contains a From attribute.

• To find any file transfer, choose the Filename parameter and leave Label and Value empty.
This will match any file transferred over any protocol.
To define an attribute:

Fidelis XPS Guide to Creating Policies 41

1. Select Attributes at the Select parameter list. The Attributes Conditions page appears.

Figure 17. Channels: Attributes

2. Select in, not in, or all at Attributes. The selections in and all are equivalent when only one
value is added to the text box on the right. When more than one value is listed, in will match
at least one value. The selection all will match all values. The selection not in matches
anything except values added to the text box.

3. Select a label for the Label list. This is the label generated by the protocol decoder. Refer to
Decoder Attributes for Channels for more information.

4. Select a parameter specific to the application. The list will change based on the selected
Label. If no Label is selected all possible attribute values will be available.

5. Enter a value that pertains to the label and parameter. Refer to Attribute Value Regular
Expressions.
6. Click Add and your attribute definition will move to the box on the right.
7. Click Save changes after adding all attribute definitions. You can also click Policy Wizard to
save changes and proceed to the next step in creating and assigning a policy. Refer to Policy
Wizard.

Define Decoding Path

Decoding path enables you to define a Channel fingerprint by matching on sessions that contain a
specific string or combination of strings within the decoding path.
To define a decoding path:

1. Select Decoding path as the parameter.

Figure 18. Channels: Decoding path

2. Select in, not in, or all for Decoding path. The decoding path selections of in and all are
equivalent when only one value is added to the text box on the right. When more than one

Fidelis XPS Guide to Creating Policies 42

 value is added, in will match at least one value. The selection all will match all values. The
decoding path selection not in matches anything except values added to the text box.
3. Enter a regular expression in the text box. Refer to Decoding Path Regular Expressions.
4. Click Add and your regular expression will move to the box on the right.
5. Click Save changes after adding all decoding path expressions. You can also click Policy
Wizard to save changes and proceed to the next step in creating and assigning a policy.
Refer to Policy Wizard.

Decoding Path Regular Expression

Enter a regular expression to define a value for the decoding path.
At the Channels>Conditions page:
Enter a regular expression in the text box. For example:

• For a file name: Enter: filename\.ext$

• To find files with a gz extension: Enter \.gz$
• For a Protocol: Enter the protocol name exactly as written in the Protocol Decoder Attributes
and Values table.
• For a File format: Enter the file type exactly as written in the Format Decoder Attributes and
Values table.
Note: The internal representation of a decoding path includes a colon (:) between each
value. The colons are removed from the Alert Detail page for display purposes, but
may be useful to more accurately define your decoding path.

• To find a PDF file: Enter :PDF (this will match when a PDF file is detected, but not when a file
of another type is named .pdf)
• To find HTTP: Enter :HTTP (this will match an HTTP session, but not a file name that
happens to include the characters HTTP).
For more information about using regular expressions refer to Regular Expressions in Fidelis XPS.
Refer to Define a Channel Fingerprint for more information about creating this fingerprint.

Attribute Value Regular Expression

Enter a regular expression to define a value for an attribute.
At the Channels>Conditions page:
Enter a regular expression to specify values for an attribute. For example:

• For an email address, enter: john\.doe@company\.com

• For an email domain, enter: @company\.com
• For a file extension: \.pdf$
• For a URL: www\.site\.com
Periods are metacharacters that must be escaped with a backslash (\).
The internal representation of an attribute value is enclosed in double-quotes, for example:
"subject” To include a double quote within an attribute value regular expression , you must escape
it with a backslash (\), for example, \"subject\" represents the string subject with beginning and
ending double quote characters.
Examples for certificate values:

• For the Key Length parameter enter: 1024.

• For the Key Usage parameter enter: Digital Signature, Key Agreement, or CRL Signing

Fidelis XPS Guide to Creating Policies 43

 • For the Extended Key Usage parameter enter: Code Signing, Time Stamping, Or Server
Authentication
For more information about using regular expressions refer to Regular Expressions in Fidelis XPS .
Refer to Define a Channel Fingerprint for more information about creating this fingerprint.

Define Date Attributes

Date Attributes allow you to define a Channel fingerprint by matching date parameters extracted by
the Fidelis XPS decoding software. For example, you can specify dates to extract information about
a file's creation or modification date.

• Label is the name of a Fidelis XPS decoder.

• Parameter is the name of the attribute to match. Creation Date is the date the file was
created. Modified Date is the date the file was changed.
• Date Type enables you to select from Absolute, Relative, or Future.
To define a date attribute:
At the Channels>Conditions page, define date attributes:

1. Select Date Attributes at the Select parameter list. The Conditions page displays for Date
Attributes.

Figure 19 . Channels: Date Attributes

2. Select in or not in. Use in to match any of the defined date attributes. For example, a creation
date within a defined range OR a creation date within the last twenty-four hours OR a creation
date in the future. Use not in to match anything that is not listed, for example, neither a
creation date within a specified range nor a creation date in the future.

3. Select a label for the Label list, if needed. This is the label generated by the format decoder.
Refer to Format Decoder Attributes and Values for a complete list.

4. Select a parameter specific to the application. The list will change based on the selected
Label. If no Label is selected all possible attribute values will be available.
5. For Date Type, select either Absolute, Relative, or Future.
• Absolute: Enter a start date and an end date. A positive match will be an extracted date
within the defined range, inclusive of the start and end dates. For example all files with a
creation date between December 3, 2010 and January 15, 2011.
• Relative: Define the number of days and hours to match against the current sensor time
at the time the network transfer is detected. Use relative to define, for example, any
executable with a creation date within the last twelve hours or seven days.

Fidelis XPS Guide to Creating Policies 44

 • Future: Select a Relative Future Time. If you choose 0 days and 0 hours, the sensor will
match any date that is in the future relative to the current sensor time. If you choose to
bound the match by setting a non-zero time, the sensor will match any date between the
current sensor time and the provided days and hours in the future. An example use of
Relative Future Time is the detection of a certificate that is nearly expired.

6. Click Add and your attribute definition will move to the box on the right.
7. Click Save changes after adding all attribute definitions. You can also click Policy Wizard to
save changes and proceed to the next step in creating and assigning a policy. Refer to Policy
Wizard.

Email Recipients
Email Recipients enables you to define a Channel fingerprint that contains an email whitelist or
blacklist for email protocols including: IMAP and SMTP.
To define Email Recipients:

1. Select Email Recipients as the parameter.

Figure 20. Channels:Email Recipients

2. Select in or not in. Use in to match any email recipient in the list. Use not in to match email
recipient not in the list.
3. Enter a string such as a domain name into the text box as a regular expression.
4. Click Add and your attribute definition will move to the box on the right.
5. Click Save changes after adding all Email Recipients. You can also click Policy Wizard to
save changes and proceed to the next step in creating and assigning a policy. Refer to Policy
Wizard.

Edit a Channel Fingerprint

You can edit an existing channel. To do this:

1. Click the appropriate fingerprint and click Edit.

2. You can edit Comments at the General page. You can also change the name if the fingerprint
is not included in a rule.

3. Click the Conditions link.

4. Click Edit. The Edit>Conditions page displays. You can add additional conditions and delete
existing conditions as needed.

• Enter new information and click Add to add conditions as needed. Refer to Add a
Channel Fingerprint.

Fidelis XPS Guide to Creating Policies 45

 • Click the condition within the TRUE If text box. The condition moves into the edit portion
of the page. The rest of the page changes to reflect the selected condition.

• To delete a specific condition:

At the value text box, select the condition and click Delete Selected. The selected
condition is removed from the value text box.
In the conditions page, click Delete next to the condition.
To delete the Format Data Size parameter: select it and click Clear.

5. Click Save changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Decoder Attributes for Channels

Channel attributes are specific to the decoder of a network transmission. Fidelis XPS contains
protocol and format decoders, and each has specific attributes. Attribute information is important
when creating efficient channel fingerprints.
To support wildcards, the CommandPost GUI provides a menu of all attributes for all protocols and
file formats, however, only some are applicable to any given protocol. Within the Label drop down
menu, upper-case options refer to protocol decoders, while lower-case options refer to file format
decoders.

Fidelis XPS Decoders

Fidelis XPS contains protocol and format decoders, and each has specific attributes. All decoders,
however, include the MD5 attribute.
To support wildcards, the CommandPost GUI provides a menu of all attributes for all protocols and
file formats, however, only some are applicable to any given protocol. Within the Label drop down
menu, upper-case options refer to protocol decoders, while lower-case options refer to file format
decoders.

Fidelis XPS Guide to Creating Policies 46

Protocol Decoder Attributes and Values
All supported protocols are listed in the table below. This table provides the complete list of all
attributes available for each supported protocol. In some cases, attributes have a well-defined list of
possible values and are represented in the Values column. When the attribute has an undefined
content, the Values column is left blank (in these cases, the value will be extracted from the
network transmission).
Different sensors decode different protocols depending on the sensor type and the license key.
Table 2. Protocol decoder attributes and values

Protocol decoder Protocol decoder Attribute Definition/Values

description strings

AIM AOL Instant Messenger Encrypted

Filename
From
To
User

AIMEXPRESS Filename
A Web version of AOL
Instant Messenger From

To
User
AOLMAIL A Web version of AOL Filename The filename of the
mail attachment
From Sender's email address
Mode Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

BADOO A social networking web

site
BITTORRENT A peer-to-peer Filename
communications protocol
for file sharing
Content is not decoded.
COMCASTMAIL Webmail Filename The filename of the
attachment
From Sender's email address

Fidelis XPS Guide to Creating Policies 47

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

Mode Indicates the send or

read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

CVS Concurrent Versions Root

System; a client-server
free software revision User
control system.
DB2 A relational model Cipher
database server
Database
Encrypted
From
Midstream
True or False
Quality
SQL
To
User

DNS The Domain Name Host

System (DNS) is a
DNS is only supported hierarchical distributed
when the DNS naming system for
Decoder is enabled on computers, services, or
a Direct or Internal any resource connected
sensor. to the Internet or a
private network. DNS
protocol translates host
names into IP
addresses.

EARTHLINKMAIL Webmail Filename The filename of the

attachment
From Sender's email address
Mode Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address

Fidelis XPS Guide to Creating Policies 48

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

User User's email address

EDONKEY A peer-to-peer file Host

sharing network User
Content is not decoded.
EMUMAIL Webmail Filename The filename of the
attachment
From Sender's email address
Mode Indicates the send or
read eamil for the detected
email body or upload or
Download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

EXCHANGE Microsoft Exchange Cipher

provides email, calendar, (Includes NT
and contacts on personal Lan Manager
computers, phones, and (NTLM) or
web browsers. Kerberos
Includes MAPI authentication)
(Messaging Application Refer to Quality, Encryption
Program Interface) a Encrypted String, and Hash Values.
Microsoft Windows
program interface that Filename
enables users to send
From
emails from within a
Windows application Midstream
such as word
processors, Quality
spreadsheet, and
graphics applications. Server
Subject

To
UID
User

A social networking web From

FACEBOOK site
Mode
Profile
Subject
To
UID

Fidelis XPS Guide to Creating Policies 49

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

User

FIX Client
The Financial
Information eXchange
Server
(FIX) protocol is a
messaging standard User
developed specifically for
the real-time electronic
exchange of securities
transactions.
FRIENDSTER A social gaming site

FTP Command Get or Put

File Transfer Protocol; a
standard network Filename
protocol used to copy a
file from one host to Mode Passive or Normal
another over a TCP-
based network Stream Type Data Transfer or Control
User
GNUTELLA A large, decentralized
peer-to-peer network
Content is not decoded.
GOOGLEMAIL Web mail Filename The filename of the
attachment
From Sender's email address
Mode Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment.
Subject Subject of the email
To Recipient's email address
User User's email address

GOOGLETALK Freeware instant Filename

messaging and voice
over Internet (VoIP) From
protocol client
application To
User

GOOGLE_WEBIM A chat widget for Google From

talk users to use on
various Google web sites Mode
such as gmail. To
User

HI5 A social networking site

Fidelis XPS Guide to Creating Policies 50

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

HORDEMAIL Webmail Filename The filename of the

attachment
From
Sender's email address
Mode
Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment
Subject
Subject of the email
To
Recipient's email address
User
User's email address

HOTMAIL Webmail Filename The file name of the

attachment
From Sender's email address
Mode Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

HTTP Hypertext Transfer Command

Protocol, a
networking protocol Connection
that is the foundation
of data Filename
communication for From
The World Wide Web
Host
Location
Malformed Client sends no data
Midstream
Mode
Proxy
Proxy Port
Referer
Server
Server Port Yes
Status Code
To

Fidelis XPS Guide to Creating Policies 51

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

Tunnel
URL
User
User Agent
Via
X-Forwarded-
For
IMAP4 Internet Message From
Application Protocol a
prevalent Internet Subject
standard protocol for
To
email retrieval
User
IPTUNNEL Used when one network Tunnel String with a defined format
protocol (the delivery
protocol) encapsulates a (TYPE IP1:PORT1 IP2:PORT2)
different payload PORT 1 and PORT 2 apply only
protocol. to Teredo tunnels. Type can be
Prevention is disabled one of the following:Teredo, 6in4,
for this decoder. 6to4, GRE, IPIP, IPsec
IPsec Internet Protocol Encrypted ESP
Security (IPsec) is a
protocol suite for Mode Transport or Tunnel
securing IP
communications by Protocol AH,ESP or AH+ESP
authenticating and
encrypting each IP
packet of a
communication session.
IPsec also includes
protocols for establishing
mutual authentication
between agents at the
beginning of the session
and negotiation of
cryptographic keys to be
used during the session.
Prevention is disabled
for this decoder.
IRC Internet Relay Chat, a From
form of real-time,
Internet text messaging To
User
JABBER A protocol developed by Filename
the Jabber open source
community for near-real- From
time, extensible instant
messaging (IM), To
presence information, User
and contact list.

Fidelis XPS Guide to Creating Policies 52

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

KAZAA Kazaa Media Desktop

was used to exchange
MP3 music files and
other file types, such as
videos, applications, and
documents over the
Internet.
Content is not decoded.
LDAP Authentication SASL or SIMPLE
The Lightweight
Directory Access Command bind, search, add, delete, modify,
Protocol (LDAP) is an search result
application protocol for
reading and editing DN distinguished name or string
directories over an IP
network. Midstream True or False
Mode Add, replace, delete

User

LINKEDIN Social networking site From

Mode
Subject
To
UID
User

MSNIM Windows Live Encrypted

Messenger (formerly
named MSN Messenger) Filename
is an instant messaging
client created by From
Microsoft and is
To
designed to work with
Microsoft Windows User
platforms.
MSN_WEBIM The web-based version From
of Windows Live
Messenger. Mode
To
User

MSSQL Microsoft SQL Server is

a relational model
database server. Its
primary query languages
are T-SQL and ANSI
SQL.
Content is not decoded.

MYSPACE Social networking site From

Fidelis XPS Guide to Creating Policies 53

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

Mode
Subject
To
UID
User

NEOMAIL Webmail Filename The filename of the

attachment
From Sender's email address
Mode Indicates the sender or
Read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email.
To Recipient's email address
User User's email address

NING Social networking site

An object-relational Cipher Refer to Quality, Encryption
ORACLE database management String, and Hash Values.
system (ORDBMS) Client
Note: By default the Database
Oracle decoder uses the
standard Windows CP Encrypted
1252 character set for
American English. For From
international character
sets, the Oracle decoder Midstream
uses the first character Quality
set defined in the
Language Configuration SQL
page of the sensor
configuration. Refer to Server
chapter 13 in the User
To
Guide. These defaults
can be overwritten by User
editing the Oracle
configuration file.
ORKUT Social networking site

OWAMAIL Web mail Filename The filename of the

attachment
From Sender's email address
Mode Indicates the send or
read email for the detected
email body or upload or

Fidelis XPS Guide to Creating Policies 54

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

download file for the

detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

PLAXO Social networking site From

Mode
Subject
To
UID
User

POISON IVY A remote access tool Encrypted Camelia

Version
POP3
Post Office Protocol User
(POP) is an application-
layer Internet standard
protocol used by local
email clients to retrieve
email from a remote
server over a TCP/IP
connection.
RDP Remote Desktop
Protocol (RDP) is a
proprietary protocol
developed by Microsoft,
that provides a user with
a graphical interface to
another computer.
Content is not decoded.
RFB Remote Frame Authentication VNC, RA2 ,RA2ne, SSPI, SSPIne
Buffer, an open , TightVNC, UltraVNC , TLS,
protocol for remote VeNCrypt TLS,
desktop GTK-VNC SASL,
MD5 Hash, Colin Dean xvp
Version
RTMP Recognizes and
decodes the Real Time
Messaging Protocol
(RTMP) was developed
for streaming audio,
video and data over the
Internet, between a
Flash player and a
server.
Content is not decoded.

Fidelis XPS Guide to Creating Policies 55

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

RTSP Real Time Streaming

Protocol (RTSP) is a
network control protocol
designed for use in
entertainment and
communications systems
to control streaming
media servers. The
protocol is used for
establishing and
controlling media
sessions between end
points.
Content is not decoded.
SHAREPOINT collaboration software Filename Name of the file being
transferred
Mode Upload, download, post,
and view
Title Site name
User User name

SIP A signaling protocol CallID

widely used to set up
Voice over IP and Video Command INVITE, REGISTER,
over IP calls. MESSAGE, etc.
SIP can create, modify
and terminate two-party Contact
or multiparty sessions.
From
Each session may
consist of one or several Media String with a defined format.
media streams. media port, protocol, codecs
Server
Subject
To
User-Agent
Via

SKYPE
An application that
allows users to make
voice calls and chats
over the Internet.
Content is not decoded.
Note: The Skype
decoder does not
provide content
decoding. To reduce the
number of alerts, Skype
provides one alert per
Skype client, not per
session. However, the
action (prevent or

Fidelis XPS Guide to Creating Policies 56

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

throttle) is applied to all

the sessions from the
Skype client.
SMB Server Message Block Client
(SMB) operates as an
application-layer network Directory
protocol used to provide
shared access to files, Domain
printers, serial ports, and
Filename
miscellaneous
communications Midstream True or False
between nodes on a
network. Read/write Read, write, read& write
Share
User
Version SMB 1 and SMB 2

SMTP Client
Simple Mail Transfer
Protocol (SMTP) an Encrypted TLS
Internet standard
foremail transmission From
across IP networks.
Malformed Client sent no data
Server
To
User
SQUIRRELMAIL Webmail Filename The filename of the
attachment
From Sender's email address
Mode Indicates the send or
read email for the detected
email bode or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

SSH Secure Shell or SSH is a Cipher Refer to Quality, Encryption,

network protocol that String and Hash Values.
allows data to be
exchanged using a Client
secure channel between
two networked devices. Encrypted SSH
Content is not decoded.
Hash
Quality

SSL Secure Sockets Layer Cipher Refer to Quality, Encryption

Fidelis XPS Guide to Creating Policies 57

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

(SSL) is a cryptographic String, and Hash Values.

protocol that provides
communications security Command
over the Internet. Encrypted SSL or TLS
Content is not decoded. Hash
Malformed Bad record length from client
Bad record length from server
Mode Decrypted SSL (Only with SSL
Inspector)
Quality Refer to Quality, Encryption
String, and Hash Values.
Suspicious
Version 2.0 or 3.0
TELNET User
Telnet is a network
protocol that provides
communications using a
virtual terminal
connection.
Trivial File Transfer Filename
TFTP Protocol (TFTP) is a file
transfer protocol Mode netascii or oclet
generally used for
automated transfer of Read/Write Read or write
configuration or boot files
To
between machines in a
local environment. User User email address if used in the
Note: TFTP over UDP obsolete mail mode
can only be prevented
when detected by a
network sensor
configured for inline
mode.
TLS Transport Layer Security Cipher Refer to Quality, Encryption
(TLS) is a cryptographic String, and Hash Values.
protocol that provides
communications security Command
over the Internet. Encrypted SSL or TLS
Hash
Malformed Bad record length from client
Bad record length from server
Mode Unused
Quality Refer to Quality, Encryption
String, and Hash Values.
Suspicious
Version 1.0,1.1, and 1.2
TWITTER An online social
networking and
microblogging service

VERIZONMAIL Webmail Filename The filename of the

attachment

Fidelis XPS Guide to Creating Policies 58

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

From Sender's email address

Mode Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

WEBSOCKET WebSocket is a web Host

technology providing full-
duplex communications Server
channels over a single
TCP connection.
X11
A computer software
system and network
protocol that provides a
basis for graphical user
interfaces (GUI) for
networked computers.
Content is not decoded.

YAHOOMAIL Web mail Filename The filename of the

attachment
From Sender's email address
Mode Indicates the send or
read email for the detected
email body or upload or
download file for the
detected attachment
Subject Subject of the email
To Recipient's email address
User User's email address

YAHOO_WEBIM Yahoo instant Filename

messenger for the web
From
Mode
To
User
YMSG Filename
Yahoo Messenger
Protocol is the From
underlying network
protocol used by the Mode
Yahoo Messenger
To File Transfer

Fidelis XPS Guide to Creating Policies 59

Protocol decoder Protocol decoder Attribute Definition/Values
description strings

instant messaging client User

Format Decoder Attributes and Values

Similar to protocol decoders, format decoders can extract specific attributes and values. The
following table defines each of the format decoders and lists any applicable attribute strings and
values.
Table 3. Format decoder attributes

Format Format decoder Attribute strings Values

decoder definition

7z A file that contains one Cipher Refer to Quality, Encryption

or more compressed String, and Hash Values
files. Attribute strings do
not apply to supported Compression
compression utilities Method
such as zip.
Creation Date
Filename
Hash
Modification
Date
Quality
Type Anti-Item

Cipher Refer to Quality, Encryption

air Adobe AIR is a String, and Hash Values
developer's tool for
Compression
creating platform-
Method
independent web
applications that can be Filename
run on a user's desktop.
Quality

base64 An encoding method that Suspicious

converts binary data into
ASCII text and vice
versa.
binary A binary file Suspicious XOR (key value)
Pad (pad length)
XOR (key value) and Pad (pad
length)
binhex BinHex, short for binary- Filename
to-hexadecimal, is a
binary-to-text encoding
system used on the Mac
OS for sending binary
files through email.
bmp Bitmap Image File
bzip2 An open source data Filename
compression program.

Fidelis XPS Guide to Creating Policies 60

Format Format decoder Attribute strings Values
decoder definition

certificate An electronic document End Date

that uses a digital
signature to verify Extended Key Server Authentication
identity. Usage Client Authentication
Code Signing
Email Protection
Time Stamping
OCSP Signing
Use Unknown if not
defined in RFC 3280
Issuer Name If the ON Entry in both the
Issuer and Subject fields are
the same, the value will be
ON Self-Signed Certificate
Key Length
Number of bits
Key Usage
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Key Agreement
Certificate Signing
CRL Signing
Encipher Only
Decipher Only
Use Unknown if not defined
in RFC 3280
Start Date
Subject Name
Type
X509 Certificate or
Unrecognized Certificate

chunked An encoding method that

allow s data to be
returned in chunks.
deflate An algorithm that
compresses data
without any loss.
embedded- An embedded image Filename
image
embedded- Embedded text or file Filename
object
Stream type

exe The Executable file Binary Type Library or Executable

decoder will extract
attributes of the file, Compression
including the Operating Method
System, the file type Creation Date Can only be captured on Windows
(library or executable), applications
and the creation date. ImpHash Import Table Hash
OS Family Android, Linux/Unix, Windows or

Fidelis XPS Guide to Creating Policies 61

Format Format decoder Attribute strings Values
decoder definition
Contents are decoded to DOS, MacOS/OSX
extract readable text or Packed The packer program used, such as
strings from applicable UPX
sections of the
Type
executable, such as
import table, export
table, resource table,
symbol table, and string
table, etc.
fix-format Financial Information Filename
eXchange (FIX) XML
and tag-value
messages.
flash Detects compressed and Filename
uncompressed Flash
files such as swf, flv, or
f4v files.
Text content is decoded
and any executable
ActionScript is extracted
for user analysis.
gif Graphics Interchange
File
gzip A file compression Filename
program
html Hyper Text Markup
Language
image An image

java-class Detects and decodes

java class files.
javascript JavaScript is a scripting Filename
language that can be
embedded directly in
HTML source of Web
pages and also in PDF
applications outside of
web pages.
jpeg Joint Photographic
Experts Group, a
compression method for
digital images
keynote Presentation program for Author
Apple iWork
Filename

mail Email messages that do From

not include MIME
formatted data Subject
To
message Any set of transmitted

Fidelis XPS Guide to Creating Policies 62

Format Format decoder Attribute strings Values
decoder definition

data
Searches for messages
transmitted in 7-bit, 8-bit,
and binary transfer
encodings.
mime Multipurpose Internet Filename
Mail Extensions, the
most common method of From
transmitting non-text files
Subject
via Internet email.
To

User
XHeader
(Customizable)
ms-access-mdb Microsoft Excel Filename

ms-excel Microsoft Excel Author

Cipher Refer to Quality, Encryption
String, and Hash Values.
Creation Date
Filename
Header/Footer The header or footer found within
a Microsoft Excel document
Modification Date
Quality
ms-msg Microsoft Outlook From
message
Subject
To

ms-office Microsoft Office Author

Includes the stream
format type extracted by Creation Date
ms-office decoders.
Filename
Header/Footer
Modification Date
ms-powerpoint Microsoft PowerPoint Author
Creation Date
Filename
Header/Footer
The header or footer found
within a Microsoft PowerPoint
Modification document.
Date

Fidelis XPS Guide to Creating Policies 63

Format Format decoder Attribute strings Values
decoder definition

ms-rtf Microsoft rich text format Creation Date

Filename
Header/Footer The header or footer found
within a Microsoft rich text format
document.
Modification Date
ms-visio Microsoft Visio Author
Creation Date
Filename
Header/Footer
Modification Date

ms-word Author
Microsoft Word
Cipher Refer to Quality, Encryption
String, and Hash Values.
Creation Date
Filename

Header/Footer The header or footer found within

a Microsoft Word document
Modification Date
Quality

multipart Multipart mime decoder

– handles emails sent
with attachments.
numbers Spreadsheet program for Author
Apple iWork
Filename
oasis-document Openoffice text Creation Date
document decoder Filename
Filename
Header/Footer The header or footer found within
an Openoffice text document
Modification Date

oasis- Openoffice presentation Creation Date

presentation decoder
Filename
Header/Footer The header or footer found within
an Openoffice presentation
Modification Date document
oasis- Openoffice spreadsheet Creation Date
spreadsheet decoder
Filename
Header/Footer The header or footer found within

Fidelis XPS Guide to Creating Policies 64

Format Format decoder Attribute strings Values
decoder definition

Modification Date an Openoffice spreadsheet

document
pages Word processing and Author
page layout program for
Apple iWork Filename

pdf Portable Document Author

Format or PDF
documents are easily Cipher Refer to Quality, Encryption
readable with freely- String, and Hash Values.
Creation Date
available Adobe Reader.
Filename
Header/Footer
Modification Date
Title
pgp Pretty Good Privacy or Cipher Refer to Quality, Encryption
GNU Privacy Guard String, and Hash Values.
(gpg)
PGP-encrypted binary
and executable files can
be recognized by the
encrypted files analyzer,
with extraction of
encryption attributes.
pkcs The signature decoder Issuer Name Signed or name of
will extract attributes of signature certificate issuer
the file such as the
signature issuer name Signing Time Signature signing time
and the signing
time if the
file is signed.
postscript Postscript or standard
page description
language (PDL)
developed by Adobe.
Most printers support
PostScript with a built-in
interpreter.
png Portable Network
Graphics File Format
quoted- An encoding method that
printable converts binary data into
ASCII text.
rar A file format for data Compression
compression and Method
archiving.
Filename
rfc822 A standard for the format
of Arpa Internet Text
Messages

Fidelis XPS Guide to Creating Policies 65

Format Format decoder Attribute strings Values
decoder definition

soap Simple Object Access

Protocol
stream For multimedia that is
constantly received by
and presented to an
end-user while being
delivered by a streaming
provider.
tar Tape Archive, a UNIX Filename
utility that combines
several files into one.
text Text file

tiff Tagged Image File

Format
tnef Transport Neutral Creation Date String
Encapsulation Format or
TNEF is a proprietary End Date
email attachment format
used by Microsoft Filename
Outlook and by Microsoft
From
Exchange Server.
Modification
Date
Start Date
Subject

torrent Detect and decode Creation Date

.torrent files which
are used to describe file
locations to the
BitTorrent protocol.
urlencode An encoding scheme
used in HTTP.
uuencode An encoding method that Filename
converts binary data into
ASCII text.

WebP image format that uses

compression
xfdl Extensible Forms Filename
Description Language
An encoding method
intended for forms.
xml Extensible Markup
Language used to define
data elements on a Web
page.
ymsg Yahoo Instant Message Filename
Decoder

Fidelis XPS Guide to Creating Policies 66

Format Format decoder Attribute strings Values
decoder definition

From

Mode
To
User

Refer to Quality, Encryption

zip A file that contains one Cipher String, and Hash Values
or more compressed
files. Attribute strings do
not apply to supported Compression
compression utilities Method
such as LHA.
Filename
Quality

Attributes for Protocol and Format Decoders

The following table defines attributes for protocol and format decoders. These attributes are listed
with each applicable protocol or format decoder.
Table 4. Protocol and format decoder attributes

Decoder Description Decoders that use the

attribute attribute

Authentication Authentication method in use for LDAP, RFB

the session
Author The author or creator of the file keynote, ms-excel, ms-office,
ms-powerpoint, ms-visio, ms-
word, numbers, pages, pdf
BinaryType The type of an executable program exe
file
CallID Caller ID as found in the SIP SIP
session
Cipher The algorithm used for encryption 7z, DB2, EXCHANGE,
of session or file ORACLE, SSH, SSL, TLS,
air, ms-excel, ms-word, pdf,
pgp, zip
Client Initiator host of the session Fix, Oracle, SMB, SMTP,
SSH
Command Protocol specific commands such FTP, HTTP, LDAP, SIP, SSL,
as get or put TLS
Compression 7z, air, exe, rar, zip
Method Algorithm used to compress a file

Connection Status of the HTTP connection: HTTP

closed or keep alive, etc.
Contact Contact information as found in the SIP
SIP headers

Fidelis XPS Guide to Creating Policies 67

Decoder Description Decoders that use the
attribute attribute

DN Distinguished name of an LDAP LDAP

object
Database Database name DB2, Oracle
Directory Directory being accessed in an SMB
SMB transaction
Domain Domain name associated with the SMB
SMB transaction
Encrypted Flag denoting that session was AIM, DB2, Exchange, IPsec,
encrypted MSNIM, Oracle, Poison Ivy,
SMTP, SSH, SSL, TLS
Evasion A technique for modifying attacks
Technique to prevent detection tunneling decoders

Extended Key Extended usage for public key in certificate

Usage X.509
Filename name of the file Almost all protocols and
wrapper file formats Including:
7z, AIM, AIMEXPRESS,
AOLMAIL, BITTORRENT,
COMCASTMAIL,
EARTHLINKMAIL, EMUMAIL,
EXCHANGE, FTP,
GOOGLEMAIL,
GOOGLETALK,
HORDEMAIL, HOTMAIL,
HTTP, JABBER, MSNIM,
NEOMAIL, OWAMAIL,
SHAREPOINT, SMB,
SQUIRRELMAIL, TFTP,
VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG, air,
binhex, bzip2, embedded-
image, embedded-object, fix-
format, flash, gzip, javascript,
keynote, mime, ms-access-
mdb, ms-excel, ms-office, ms-
powerpoint, ms-rtf, ms-visio,
ms-word, numbers, oasis-
document, oasis-presentation,
oasis-spreadsheet, pages,
pdf, rar, tar, tnef, uuencode,
xfdl, ymsg, zip
From User that initiated the email, chat, All email and chat protocols,
or transaction including:
AIM, AIMEXPRESS,
AOLMAIL, COMCASTMAIL,
DB2, EARTHLINKMAIL,
EMUMAIL, EXCHANGE,
FACEBOOK, GOOGLEMAIL,
GOOGLETALK,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,

Fidelis XPS Guide to Creating Policies 68

Decoder Description Decoders that use the
attribute attribute

HTTP, IMAP4, IRC, JABBER,

LINKEDIN, MSNIM,
MSN_WEBIM, MYSPACE,
NEOMAIL, ORACLE,
OWAMAIL, PLAXO, SIP,
SMTP, SQUIRRELMAIL,
VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
mail, mime, ms-msg, tnef,
ymsg
Hash Hash of an encrypted or 7z, SSH, SSL, TLS
compressed transmission
Header/Footer The header and footer of a file
(supplemental information at the ms-excel, ms-office, ms-
beginning and end) powerpoint, ms-rtf, ms-visio,
ms-word, oasis-document,
oasis-presentation, oasis-
spreadsheet, pdf
Host A computer connected to a DNS, Edonkey, HTTP,
network. WebSocket,
ImpHash Import Table Hash exe
Issuer Name Name of the certificate issuer certificate, pkcs
Key Length Length of the public key certificate
Key Usage How the public key is used certificate
Location Location specified in HTTP HTTP
headers
Malformed Session containing a badly formed HTTP, SMTP, SSL,TLS
name, resource record, or other
error
Media Media information found in SIP SIP
headers
Midstream Flag indicating that session was DB2, Exchange, HTTP,
not captured from the beginning LDAP, Oracle, SMB
Mode Distinct method of operation within AOLMAIL, COMCASTMAIL,
a computer system EARTHLINKMAIL, EMUMAIL,
FACEBOOK, FTP,
GOOGLEMAIL,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,
HTTP, IPsec, LDAP,
LINKEDIN, MSN_WEBIM,
MYSPACE, NEOMAIL,
OWAMAIL, PLAXO,
SHAREPOINT,
SQUIRRELMAIL, SSL, TFTP,
TLS, VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
ymsg

Fidelis XPS Guide to Creating Policies 69

Decoder Description Decoders that use the
attribute attribute

Modification Date Date when a file was modified 7z, ms-excel, ms-office, ms-
powerpoint, ms-rtf, ms-visio,
ms-word, oasis-document,
oasis-presentation, oasis-
spreadsheet, pdf, tnef
OS Family exe
Operating system to which an
executable file pertains
Packed The packer program used, such as exe
UPX
Profile A link to the user Facebook profile Facebook
Application protocol for the IPsec IPsec, NetworkEvasion
Protocol session
Proxy HTTP Proxy server involved in the HTTP
session
Proxy-Connection Status of an HTTP connection to a
proxy server
Proxy port Port on which the HTTP proxy HTTP
server is listening
Quality Quality of encryption of a session 7z, DB2, EXCHANGE,
or file ORACLE, SSH, SSL, TLS,
air, ms-excel, ms-word, zip
Read/White Read/write permission on a file or SMB, TFTP
folder as found in protocol data
Reassembly Reassemble packets info proper NetworkEvasion
order at the receiving end of the
communication
Referer HTTP
An HTTP header field that
identifies the address of the web
page (i.e. the URI) that linked to
the resource being requested
Root Top level directory of an RCS file CVS
system
SQL Structured Query Language (SQL): DB2, Oracle
a query language used for
accessing and modifying
information in a database
Server The server to which the host has Exchange, Fix, HTTP, Oracle,
connected SIP, SMTP, WebSocket
Server port The port on which the server is HTTP
listening
Session ID sub session of Rel Session ID tunneling protocols
Share A shared directory accessed over SMB
SMB
Signing Time Time that the certificate was signed pkcs

Fidelis XPS Guide to Creating Policies 70

Decoder Description Decoders that use the
attribute attribute

Start Date
date started certificate, tnef
Status Code HTTP response status code HTTP
Stream type Whether the session was a control, FTP, embedded-object
data, or encrypted stream
Subject The subject of an email or AOLMAIL, COMCASTMAIL,
message EARTHLINKMAIL, EMUMAIL,
EXCHANGE, FACEBOOK,
GOOGLEMAIL, HORDEMAIL,
HOTMAIL, IMAP4, LINKEDIN,
MYSPACE, NEOMAIL,
OWAMAIL, PLAXO, SIP,
SQUIRRELMAIL,
VERIZONMAIL,
YAHOOMAIL, mail, mime,
ms-msg, tnef
Subject Name certificate
subject name in a certificate
Suspicious File with suspicious formatting or binary, base64, SSL, TLS
structure
Title Sharepoint, pdf
Sharepoint site Title
To Recipient of the information / email All email, chat, social
protocols including: AIM,
AIMEXPRESS, AOLMAIL,
COMCASTMAIL, DB2,
EARTHLINKMAIL, EMUMAIL,
EXCHANGE, FACEBOOK,
GOOGLEMAIL,
GOOGLETALK,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,
HTTP, IMAP4, IRC, JABBER,
LINKEDIN, MSNIM,
MSN_WEBIM, MYSPACE,
NEOMAIL, ORACLE,
OWAMAIL, PLAXO, SIP,
SMTP, SQUIRRELMAIL,
TFTP, VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
mail, mime, ms-msg, ymsg
Tunnel A protocol in which one protocol is HTTP, IPTUNNEL
encapsulated within another (HTTP
Connect, IP tunnels)
Type Different types – 7z: anti-file, 7z, certificate, exe
certificate: root or not, exe: signed
or not
UID User ID used in various systems Exchange, Social protocols
and protocols including: EXCHANGE,
FACEBOOK, LINKEDIN,
MYSPACE, PLAXO

Fidelis XPS Guide to Creating Policies 71

Decoder Description Decoders that use the
attribute attribute

Url HTTP Uniform Resource Locator, HTTP

or web address
User A person or software using an Almost all protocols including:
information system AIM, AIMEXPRESS,
AOLMAIL, COMCASTMAIL,
CVS, DB2, EARTHLINKMAIL,
EDONKEY, EMUMAIL,
EXCHANGE, FACEBOOK,
FIX, FTP, GOOGLEMAIL,
GOOGLETALK,
GOOGLE_WEBIM,
HORDEMAIL, HOTMAIL,
HTTP, IMAP4, IRC, JABBER,
LDAP, LINKEDIN, MSNIM,
MSN_WEBIM, MYSPACE,
NEOMAIL, ORACLE,
OWAMAIL, PLAXO, POP3,
SHAREPOINT, SMB, SMTP,
SQUIRRELMAIL, TELNET,
TFTP, VERIZONMAIL,
YAHOOMAIL,
YAHOO_WEBIM, YMSG,
mime, ymsg
UserAgent Application using the HTTP as HTTP, SIP
transport
Version Version of the protocol being used PoisonIvy, RFB, SMB, SSL,
TLS
Via Via (proxies) information as found HTTP, SIP
in HTTP-like headers
X-Forwarded-For HTTP header field used for HTTP
identifying the originating IP
address of client using an HTTP
proxy
XHeader X-Headers field found in mime mime
headers

Fidelis XPS Guide to Creating Policies 72

Quality, Encryption String, and Hash Values
Quality and encryption string values are listed below.
Quality string values Encryption string values Hash values
256-bit Password MD5
192-bit Fortezza SHA1
128-bit RC4
120-bit RC2
112-bit Idea
104-bit Serpent
96-bit Twofish
88-bit Arcfour
80-bit Cast
72-bit Blowfish
64-bit Triple-DES
56-bit DES
48-bit AES
40-bit None
Weak Non-Standard
None RC4-DSS
Kerberos
RC4-DH
RC4_ENH
RC4-DSS_ENH
RC4-RSA-AES
RC4-RSA
RC4-STRONG
XOR
PGP

Fidelis XPS Guide to Creating Policies 73

Protocol and Format Decoding Paths
The decoding path reflects the series of decoders that were applied to a network session. The
decoding path information can be used by a Channel fingerprint to match the protocol or file
formats detected in network traffic.
The format and protocol decoding paths are based on current Fidelis XPS capabilities and will
expand with future product releases. The fingerprint match is done by regular expression.

Protocol Decoding Paths Format Decoding Paths

AIM adobe air
AIMEXPRESS base64
AOLMAIL binhex
BADOO bzip2
BITTORRENT certificate
COMCASTMAIL chunked
CVS deflate
DB2 embedded-image
DNS embedded-object
EARTHLINKMAIL exe
EDONKEY fix-format
EMUMAIL flash
EXCHANGE gzip
FACEBOOK html
FIX image
FRIENDSTER javascript
FTP mail
GNUTELLA message
GOOGLEMAIL mime
GOOGLETALK ms-access-mdb
GOOGLEWEBIM ms-excel
HI5 ms-msg
HORDEMAIL ms-office
HOTMAIL ms-powerpoint
HTTP ms-rtf
IMAP4 ms-visio
IPsec ms-word
IRC multipart
JABBER oasis-document
KAZAA oasis-presentation
LDAP oasis-spreadsheet
LINKEDIN pdf
MSNIM pgp
MSNWEBIM pkcs
MSSQL postscript
MYSPACE quoted-printable
NEOMAIL rar
NING rfc822
ORACLE soap
ORKUT tar
OWAMAIL text
PLAXO tnef
POP3 torrent
RDP urlencode
RTMP uuencode
RTSP xfdl
SHAREPOINT xml
SIP ymsg
SKYPE zip

Fidelis XPS Guide to Creating Policies 74

Protocol Decoding Paths Format Decoding Paths
SMB 7z
SMTP
SQUIRRELMAIL
SSH
SSL
TELNET
TFTP
TLS
IPTUNNEL
TWITTER
VERIZONMAIL
WebSocket
X11
YAHOOMAIL
YAHOOWEBIM
YMSG

Fidelis XPS Guide to Creating Policies 75

Chapter 5 Content
Content fingerprints are used to detect the data within the transmission. Examples include the text
of an email or a chat session, the text within an HTTP post, and the text within a file.

Profiling and Registration

Fidelis XPS offers two general methods of identifying content: profiling and registration.
Profiling is the preferred method of content recognition because it relies on a description of the
content rather than a copy of the content. With profiling, you can be running within an hour or two of
installation. Registration requires the identification of documents to be protected, locating said
documents, and registering them with Fidelis XPS. In addition, registration requires external
process creation to routinely locate, secure, transfer, and update sensitive documents because
whenever a protect document is changed, it must be re-registered.
Registration should be considered only when the documents are available to you and when
profiling is not possible.
Profiling is the process of describing content in one or more fingerprints. Profiling requires the
following steps:
1. Select from the following methods of content profiling offered:
Binary Profile: performs regular expression or MD5 tests on a raw file before it is fully
decoded.
Encrypted Files: matches a number of popular types of encrypted files.
Filenames: uses regular expressions to match filenames.
File Signature: recognition of many different types of binary files, not by file name, but by
file contents.
Identity Profile: uses Fidelis’ Smart Identity Profiling™ to recognize bank numbers,
addresses, phones, and national identity numbers used in the U.S. and in several other
countries.
Keywords: searches data for listed keywords.
Keyword List: searches data using a large set of keywords from an uploaded text file.
Keyword Sequence: finds keywords in a sequence not necessarily immediately adjacent.
Protocol Signature: uses regular expressions to match unrecognized protocol sessions.
Regular Expression: uses a regular expression pattern match against data.
URL Feed in Content finds URLs within content.
YARA Rules analyzes file formats using rule definitions written in YARA.

2. Describe your content.

Registration involves the following steps:
1. Identify the documents that include sensitive information for your enterprise.

2. Transfer these documents to CommandPost.

3. Generate fingerprints. Three methods are offered:

Embedded Images: matches registered images transferred either individually or embedded
within a document.
Exact Content: provides an exact match of a registered file.

Fidelis XPS Guide to Creating Policies 76

 Partial Content: matches a registered document, either in its entirety or parts of it that may
be pasted into other documents or data transfers.

4. (Optional) remove the documents from CommandPost. Removal of documents helps to

maintain security of the documents. However, they will need to be returned if fingerprint
creation needs to be run again in the future.
5. Repeat the process as necessary when the sensitive information changes.

Content Pages
You can expand a fingerprint by clicking the row. When expanded, other buttons become available.
(Buttons are greyed out for encrypted fingerprints.) The icon indicates that the fingerprint is
used in a component that is assigned to a sensor. Deleting a fingerprint depends on the status of
the .
You can also elect to show or hide unused fingerprints. Unused fingerprints are indicated by a
icon next to the component name.

The indicates the current show or hide status. The default is to show all fingerprints.
Click to hide or to show unused fingerprints.

The indicates the current show or hide status of policy, rule, fingerprint, or
fingerprint macro versions. The default is to hide versions. Refer to Policy Versions for more
information.
11 12
The fingerprint and fingerprint macro pages can be sorted by any column on a page in either
ascending or descending order.
To do this:
Click the column header to sort by that column.

The or icons display when a column has been sorted. You can only sort by one column at
a time.
You can also elect to show or hide unused fingerprints or fingerprint macros. Unused fingerprints
are indicated by a icon next to the component name. Unused fingerprint or fingerprint
macros are not assigned to a rule.

The indicates the current show or hide status. The default is to show all

fingerprints. Click to hide or to show unused fingerprints.

11
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).
12
You can combine fingerprints into a macro to make it easier to include two or more fingerprints
into rules. Instead of multiple fingerprints, you can use one macro in a rule.

Fidelis XPS Guide to Creating Policies 77

Add a Content Fingerprint
13
To add a new content fingerprint :

1. Click Policies>Content.
2. Click Add. The New Component page appears.

Figure 21. Content fingerprint: select type

3. Enter a name and comments in the text boxes. Names are required and must contain valid
characters (alphanumeric plus dash and underscore). Comments are optional and may
contain any character including spaces.
4. Select a type from the pull-down list.
5. If desired, click Delay Analysis to eliminate false positives under certain conditions.
6. Click Save Changes.
Other links appear depending on the type of Content fingerprint selected. Refer to topics
specific to each content fingerprint.
The Policy Wizard button displays. Once the fingerprint is defined, click to proceed to the next
step in creating and assigning a policy. Refer to Policy Wizard.

7. The General page changes to include new elements, such as Threshold.

Refer to The General page for more information about Delay Analysis and Threshold.

Edit a Content Fingerprint

You can edit an existing fingerprint. To do this:

1. Click the appropriate fingerprint and click Edit.

2. You can edit Comments at the General page. You can also change the name if the fingerprint
is not included in a rule.

3. If needed, click the tab specific to each fingerprint to make changes.

4. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

13
A Content fingerprint is used to detect the data within the transmission. Examples include the text
of an email or a chat session, the text within an HTTP post, and the text within a file.

Fidelis XPS Guide to Creating Policies 78

The General Page
All Content fingerprints have a General page accessed by clicking the General link at the top of the
Edit page.

Figure 22. Content fingerprint with more links

Threshold is a value to be compared against the score. The Content fingerprint will evaluate to true
only when the score exceeds the threshold.
Scores are computed differently per fingerprint type. Refer to specific sections for each Content
fingerprint to understand how to set a threshold appropriate for the Content fingerprint type.
Note: The fingerprint will not evaluate to true when the score equals the threshold,
only when the score exceeds the threshold.
Delay Analysis is a feature that eliminates false positive alerts under certain conditions. When
checked, this tells the sensor to wait for the end of the session before evaluating the fingerprint. For
example, in a rule:
Keyword1 AND NOT Keyword2
Setting Delay Analysis for Keyword 2 tells the sensor to wait for the complete file to be analyzed for
Keyword 1 and Keyword 2. This prevents false positives being generated based on a hit of
Keyword 1 before text matching Keyword 2 has been sent over the network. By not delaying
Keyword 2, an alert would be generated in this case.
Note: Prevention will not be possible when you delay analysis of a fingerprint because
the session will pass before analysis is complete.

Fidelis XPS Guide to Creating Policies 79

Binary Profile
The Binary Profile analyzer detects content during the decoding process, while all other analyzers
perform their work at the conclusion of the decoding process. The goal of the decoding process is
to extract the text of a network transmission, such as the content of a file, an Instant Messenger
chat, or the body of an email message. During this process, some non-text content may be
discarded, especially when non-text information is found within a text-based document, such as an
executable embedded within a PDF file.
Binary Profile changes this operation by performing regular expression or MD5 tests against a
network session before format decoding begins. The analyzer can be directed to operate on
specific formats or to operate on all formats. For example, if you specify a test against PDF files
then this test will be performed whenever a PDF file is detected, but just before the PDF decoding
process. Similarly, you can specify a test to operate against any format decoder which will be
executed each time a format is detected, but before decoding. In the latter case, when a file
contains another file, such as a zip file that contains a PDF, the Binary Profile analyzer performs
tests on both the compressed, undecoded zip file and again on the undecoded PDF.

Contrasting Binary Profile with Other Analyzers

Understanding the differences between Binary Profile and other analyzers may help to determine
appropriate use cases for the analyzer:

• The order of analysis versus decoding, as described above. Use Binary Profile to analyze raw
content rather than decoded text. Therefore, to detect a base-64 encoded string within a PDF,
you will need to enter your expression as a base-64 encoded string.
• The MD5 algorithm utilized by Binary Profile specified a specific file. Use this to match a
specific PDF file in its entirety. The MD5 can be generated external to CommandPost,
however, because the entire file is required, prevention is not possible unless the file is
detected with an archive. On the contrary, Exact Content fingerprints use an MD5 algorithm
specific to Fidelis that allows early detection and prevention of files over 10 KB is possible.
• The regular expression of a Binary Profile is applied to the raw binary, non-decoded format
buffer. The Regular Expression analyzer applies expressions to the decoded text buffer. An
understanding of this difference is essential to applying these fingerprints.

Define Binary Profile

To define binary profile:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
2. Click Save Changes. The Contents link appears.

Figure 23. Binary Profile Edit page

3. Enter content into the text boxes. A Binary Profile content test consists of one or more
signatures. A signature has a Name, a Decoder Type, and a Method (regex or MD5) with an
associated Expression. If multiple signatures are present, they are all tested, and the final

Fidelis XPS Guide to Creating Policies 80

 score will be the number of hits of each signature that matched. The signature matches may
occur on different levels of decoding (for example, a Zip file containing a PDF has a score of 2
if one signature matched once in the Zip file and a different signature matched once in the
PDF file). Refer to Binary Profile Score.
• Name – Enter a name for this signature. This is a descriptive name that will be shown on
14
the Alert Details when this signature is matched.
• Decoder Type – Select a decoder type from the list. Choose Any to apply the test to
every format type. Choose binary or text to apply the test to a format that is
unrecognized by the sensor. In these cases, the sensor will determine the format
structure based on the percentage of non-text characters found in the file.
Selecting the HTTP protocol decoder enables the fingerprint to examine header
information from an HTTP file.
• Method – Select either regex or MD5.
• Expression – This entry depends on the method selected -- either regex or MD5.
If regex is chosen, enter a valid PCRE regular expression. The regex can match
arbitrary binary bytes. For example, to match hexadecimal FF AD, use the regular
expression \xFF\xAD. The regular expression can also be used to match an ASCII
pattern. PCRE Unicode features are not enabled. Refer to Regular Expressions in
Fidelis XPS.
If MD5 is chosen, the Expression field should contain a valid MD5 value for a file. You
can use an external utility to generate this value and enter it into the Expression text box
or generate this value from a file on your PC by clicking Make MD5.
The value of the selected file will be automatically entered into the expression text box.

4. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
5. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

Binary Profile Score

The score reflects the total number of matches for each regex or MD5 pattern that occurred over all
of the phases of the decoding process. For example a Word file that contains the text “hello,
Othello” would match a “hello” regex twice, resulting in a score of two. It is possible that this regex
could have additional matches in the raw buffer prior to text extraction, further raising the score.

Embedded Images
The Embedded Images analyzer checks for specific, registered images being sent individually or
embedded within a document. This analyzer is most useful for identifying specific images such as a
company logo or sensitive photos.
The Fidelis XPS Embedded Images analyzer checks for digital images being sent over the network.
It does this by creating a fingerprint with an analysis of the exact content of the specified images. It
then compares images traveling out of the network with those it has been configured to recognize.
If any specified image is found, the fingerprint evaluates to true. The analyzer may not recognize an
image that has been resized or otherwise altered.
Images, in addition to simply being sent individually, can be embedded within a document. Fidelis
XPS extracts images for analysis from documents.

Define Embedded Images

To define this fingerprint:

1. Identify the image files that include sensitive information for your enterprise.

14
Alert Details is the most granular level for examining alert data.

Fidelis XPS Guide to Creating Policies 81

 2. Add a new Embedded Images fingerprint and enter the general information about the
fingerprint. Refer to Add a Content Fingerprint and The General page for more information.

3. Click Save Changes. The File List and Generate Profile links appear.

Figure 24. Embedded Image Edit page

4. Click Generate Profile. This page will show a list of all image files currently included in the
fingerprint definition. The status of each will show Current.

5. Click to open a WinSCP session.

6. Create a folder on the CommandPost to store the image files.

7. Transfer the image files that you want to register to the CommandPost.
Important: Images embedded in files can be converted to a different format than the
original. In these cases, the image must be protected in two ways: alone and also
embedded within a document. To execute this protection, copy the file alone, and copy
the file embedded within document types of interest, including MS-Word, MS-Excel,
PDF, and other file formats.

8. Select the name of the folder from the list.

9. Click Generate to create the fingerprint. After generation, you are provided bingen output
information from the generation process.
Any files added to the fingerprint are listed as New.
You must click Save Changes to save the result, which overwrites any previous version of this
fingerprint. The File list page displays with a list of saved files.
You can continue to add or remove files at the Generate Profile page as needed by selecting
a data folder .
If a file currently in the fingerprint is found in the data folder during generation, the status of
the file will change from Current to Updated.
Clear Last Gen removes the bingen output and restores the file list to the last time the
fingerprint was saved.
Clear Current deletes all Current files from the list.
Clear All removes all files from the Generate Profile page.
Delete removes a specific file from the list.
Important: You must save changes to make these changes permanent.

10. Click File list. The File List link provides a list of all registered image files in this fingerprint. It
will be populated only after the Generate Profile step has been executed. Specific images
may then be removed from the fingerprint, if desired. This page may also be used to test the
fingerprint against files stored in the selected data folder.
11. Click Save Changes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Fidelis XPS Guide to Creating Policies 82

 12. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

13. If desired, remove the original image files from the CommandPost to maintain their security.

Embedded Images Score

When a registered embedded image is detected, the score will be set to the threshold + 1.
Therefore, the threshold value (on the General page) has no meaning for embedded image
fingerprints.

Encrypted Files
The Encrypted Files analyzer checks many common types of files for encryption. Fidelis XPS
cannot break the encryption of such files, but can detect their existence.
Many corporations employ policies that dictate the encryption of sensitive data as it leaves the
network. The Encrypted Files analyzer can be used to enforce these policies and to find attempts to
circumvent the policy.
For example, a corporate policy may require the encryption of all files sent to an external payroll
company. An Encrypted Files fingerprint would be used to describe those files.
The Fidelis XPS Encrypted Files analyzer is an extremely fast analyzer with little or no effect on
performance.

Define Encrypted Files

To define encrypted files:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.

2. Click Save Changes. The File Types link appears.

Figure 25. Encrypted File Edit page

3. Click the appropriate file types.

4. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
5. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

Encrypted Files Score

When a matching encrypted file is detected, the score will be set to the threshold + 1. Therefore,
the threshold value (on the General page) has no meaning for these fingerprints.

Fidelis XPS Guide to Creating Policies 83

Exact Content
The Fidelis XPS Exact Content analyzer provides a way to positively match against specific
registered files. Fidelis XPS uses MD5 checksums of the files and searches for a match in files
transferred over the network.
A single edit to a file will change the MD5 signature and will not match the analysis of the extruded
data. The MD5 signature is based on the decoded content of the file, not the entire file. Therefore,
MD5 signatures must be generated by Fidelis XPS and cannot be imported from an external
source.
The Exact Content analyzer can be useful in certain situations, but other Fidelis XPS analyzers
provide more flexibility for protecting data. For example, the partial content analyzer can detect
sections of documents that were pasted into text or into another file. The partial content analyzer is
15
less susceptible to edits to a registered document. The profiling analyzers also offer flexibility to
define data based on the content, rather than the exact file. However, the Exact Content analyzer is
fast and is applicable in certain situations.

Define Exact Content

To define this fingerprint:

1. Identify the files that include sensitive information for your enterprise.

2. Add a new Exact Content fingerprint and enter the general information about the fingerprint.
Refer to Add a Content Fingerprint and The General page for more information.

3. Click Save Changes. The File list and Generate Fingerprint links appear.

4. Click Generate Fingerprint. This page will show a list of all files currently included in the
fingerprint definition. The status of each will show Current.

Figure 26. Exact Content: Generate Fingerprint page

5. Click to open a WinSCP session.

6. Create a folder on the CommandPost to store the files.

7. Transfer the documents that you want to register to the CommandPost

8. Select the name of the folder from the list.

9. Click Generate to create the fingerprint. After generation, you are provided md5gen output
information from the generation process.
Any files added to the fingerprint are listed as New.
You must click Save Changes to save the result, which overwrites any previous version of this
fingerprint. The File list page displays with a list of saved files.
You can continue to add or remove files at the Generate Fingerprint page as needed by
selecting a data folder .
If a file currently in the fingerprint is found in the data folder during generation, the status of
the file will change from Current to Updated.

15
Profiling is the preferred method of content recognition because it relies on a description of the
content rather than a copy of the content.

Fidelis XPS Guide to Creating Policies 84

 Clear Last Gen removes the md5gen output and restores the file list to the last time the
fingerprint was saved.
Clear Current deletes all Current files from the list.
Clear All removes all files from the Generate Fingerprint page.
Delete removes a specific file from the list.
Important: You must save changes to make these changes permanent.

Figure 27. Exact Content: File List page

10. Click File list. The File List link provides a list of all registered files in this fingerprint. It will be
populated only after the Generate Fingerprint step has been executed and you Save
Changes. Specific files may then be removed from the fingerprint, if desired. This page may
also be used to test the fingerprint against files stored in the selected data folder.

11. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
12. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Partial Content Test Results.

13. If desired, remove the original files from the CommandPost to maintain their security.

Exact Content Score

When a registered file is detected, the score will be set to the threshold + 1. Therefore, the
threshold value (on the General page) has no meaning for exact content fingerprints.

Fidelis XPS Guide to Creating Policies 85

Filenames
The Filenames analyzer is used to identify documents by name. This is the only Content fingerprint
type that is not concerned with the contents of transferred files.
A Filenames fingerprint is used to define content based on the name of a file. Filenames are
defined by regular expression, which allows fingerprints to be based on partial names.

Define Filenames
To define file names:

1. Enter General information about the fingerprint. Refer to Add a Content Fingerprint and The
General Page for more information.

2. Click Save Changes. The File names link appears.

Figure 28. Filenames Edit page

3. Enter regular expressions in the text boxes. Click Add regexp to add more filenames. Refer to
Filenames Regular Expression.

4. Click Save Changes. After every save, the regular expression syntax is verified and any
errors will not be saved. It is wise to save after each regular expression is added.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
5. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

Filenames Score
When a transferred file has a name that matches at least one regular expression in the fingerprint,
the score will be set to the threshold + 1. Therefore, the threshold value (on the General page) has
no meaning for these fingerprints.

Filenames Regular Expression

Enter a regular expression to define a Filename.
At the Content>Fielnames page:

1. Click Add Regexp.

2. Enter a regular expression into the text box. For example:
To find the term Confidential in a file name, enter: Confidential
To find a file name that begins with YourCompanyName, enter ^YourCompany Name
To find Word files, enter \.doc(x)?$ or \.docx$
Note: Regular expressions in filenames should not start with #. Lines starting with #
are considered comments and are ignored by CommandPost.

Fidelis XPS Guide to Creating Policies 86

 For more information about using regular expressions refer to Regular Expressions in Fidelis XPS .
Refer to Define Filenames for more information about creating this fingerprint.

File Signature
The File Signature analyzer is a moderately fast analyzer that applies UNIX MAGIC binary
signatures to identify certain types of binary files. Refer to the UNIX MAGIC page for more details.
The file signature fingerprint can be used to identify binary application files as they transfer over the
network. The fingerprint is a description of the file contents using bit offsets to define headers and
application file type markings.
It may be used to define files such as audio, video, CAD drawings, and other binary file types.
Fidelis XPS cannot extract content from these binary file types, but use of the file signature will
allow Fidelis XPS to identify them.
The file signature fingerprint should be used to detect file types that Fidelis XPS cannot decode.

Define File Signature

To define file signature:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
2. Click Save Changes. The Contents link appears.

Figure 29. File Signature Edit page

3. Enter content into the edit window. The main portion of this page is an edit window where the
magic signature can be supplied. Creating file signature fingerprints should be done by a user
familiar with UNIX MAGIC signatures.

4. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
5. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

File Signature Score

When a file is detected that matches the file signature definition, the score will be set to the
threshold + 1. Therefore, the threshold value (on the General page) has no meaning for these
fingerprints.
When a file is detected that is compared to the file signature definition, the score will be based on
the depth of the match (the continuation level +1). Therefore, the threshold value (on the General
page) sets the minimum number of lines that must match in the fingerprint. The total score must
exceed the threshold for the fingerprint to match.

Fidelis XPS Guide to Creating Policies 87

Understand Identity Profile
The Identity Profile analyzer (also known as Smart Identity Profile Analyzer) uses a number of
statistical analysis techniques to detect and analyze personally identifiable information (PII). The
analyzer relies on several built-in pattern recognition algorithms and a regular expression that can
be used to build custom patterns. This analyzer includes many controls that enable you to create
very accurate profiles. Use of these controls is not required to set up an identify profile, but
understanding these controls may be necessary to tune your profiles to be highly accurate.
Identity Profile includes patterns specific to both the U.S. and International. For example, you can
include patterns for U.S. and UK addresses and phone numbers. This flexibility enables you to
protect your international enterprise.
This analyzer uses three algorithms: pattern recognition, pattern count, and frequency analysis.

Pattern Recognition
Identity Profile includes the recognition of many international patterns such as national identity
numbers, phone numbers, and mailing addresses. This flexibility enables you to protect your
international enterprise.

Pr e b ui l t P at t er ns
Prebuilt patterns are available for Identity Profile. For each pattern, an algorithm is deployed to first
identify then verify the pattern. For example, a 16-digit number is first recognized as a possible
credit card number. This value is then passed to the credit card number analyzer for verification.
Only after verification is the element marked as a credit card number.
All prebuilt patterns include verification. Many identity numbers do not include a validation algorithm
and are not included with Identity Profile prebuilt patterns. Examples include driver’s license
numbers, national identities for many countries, and custom patterns such as account and record
numbers. These patterns can be easily created using Custom Patterns.

C us t om i z e
Customize enables you to fine tune the pattern recognition search by focusing on patterns that are
most important to your needs. For example, for National ID you can select only U.S. Social Security
Numbers, UK National Insurance Numbers, or any combination of the supported national IDs.

Stri c t n ess
Strictness can be used to further refine pattern matching on a scale from very stringent (high
strictness values) or very lenient (low strictness values) adherence to pattern formats. The effects
of increasing strictness vary depending on the patterns selected. For example, US Social Security
numbers are typically written in the form 123-45-6789 this form and this form only will match a high
strictness setting. However, most spreadsheet applications store this value as a number such as
123456789 which will match a lower strictness setting. You can use strictness to control the
accuracy of your matches.
Refer to Strictness in Identity Profile for more information about how strictness levels affect Identity
Profile patterns.

C us t om P a tt er ns
The Identity Profile analyzer also offers a method to describe custom patterns that can be used to
recognize elements such as document control numbers, medical record numbers, insurance record
numbers, and other identity formats that may be customized for your enterprise. These patterns are
recognized by regular expression matching. There is no verification performed on elements that
match the regular expression. Refer to Regular Expressions in Fidelis XPS for more information.

Fidelis XPS Guide to Creating Policies 88

Pattern Count
A pattern set includes one or more patterns (either prebuilt or custom). As data flows over the
network, the Identity Profile analyzer stores the count of all elements that are identified, verified,
and pass the strictness settings. The pattern count is the minimum of all elements found in the
network data.
For example, if the pattern set is Name, U.S. Social Security Number (SSN), and Credit Card
number (CreditCard), then there are three patterns in the set. Assume we find 20 names, 20 SSNs,
and 15 CreditCard numbers, then the pattern count is 15 because there are at least 15 of every
pattern in the set.
The pattern count is the score of the analysis if the frequency and the low pass filter checks pass. A
fingerprint match requires that the score exceed the fingerprint threshold.

Frequency Analysis
For each pattern set, the frequency of each pattern is calculated by dividing the element count by
the sum of all counts in a set.
For example: if the pattern set elements are Name, U.S. Social Security Number (SSN), and
CreditCard number (CreditCard), and the counts are Name—50, SSN—100, CreditCard —50, then
the total sum of all elements is 200, and the frequency of each pattern is:
Name: 50 / 200 = .25
SSN: 100 / 200 = .50
CreditCard: 50 / 200 = .25
These frequencies are an unbiased estimate of the probabilities for a discrete multinomial
distribution. Refer to Expected Distribution for more information. Statistical analysis is performed to
compare the frequency to the expected distribution. The frequency analysis is configured by the
sensitivity setting established per pattern set. Sensitivity offers four settings:

• Off: In this case frequency analysis is not performed and pattern count, as compared to the
threshold, is the only criteria for generating a fingerprint match.

• Low, Medium, High: Enable frequency analysis. The setting determines the allowable
deviation between the analyzed frequency and the expected distribution. With a high setting,
there can be very little deviation in the two distributions. With a low setting a fingerprint match
occurs with a relatively large deviation.

Expected Distribution
The expected distribution can be set in one of three methods:

• Default: by default, the expected distribution is equal numbers of all patterns. For example,
you would expect to see one name per SSN per CCN, which would equate to a frequency of
0.333 for each of the three patterns. The default setting is the most commonly used expected
distribution and is the easiest to use. To use the default distribution, simply set Sensitivity to
Low, Medium, or High.

• Set a Ratio: In some cases the expected distribution is not equal numbers of patterns. For
example, suppose you wanted to create a profile to recognize an employee list. The profile
may include a name, SSN, office phone, home phone, and mobile phone per employee. In
this case, you would expect a distribution of 0.2 name, 0.2 SSN, and 0.6 phone number. This
ratio may be manually specified at the fingerprint edit page.

• Training: An alternative to manual specification of a ratio is to train the fingerprint based on

sample files.
This method is similar to document registration, but more flexible. Using the employee list
example, you could copy your employee list to CommandPost, and train your Identity Profile
fingerprint. The result is an expected distribution that accurately matches your employee list,
based on statistical analysis of your sample data.
As an alternative to the Identity Profile fingerprint, you could create a Partial Content or Exact
Content fingerprint and register your employee list with Fidelis XPS. Refer to Registration for

Fidelis XPS Guide to Creating Policies 89

 more information. However, you would need to reregister the document every time it changed
for this method to be effective. The information in an Identity Profile fingerprint would never
need to be updated, as long as the relative distribution of patterns did not change significantly
over time.

Low Pass Filter

16
Identity Profiling is based on statistical analysis of the provided data. With any statistical
analysis, accuracy will improve as the data set increases in size. With large data sets, Identity
Profiling can be very accurate; however, it can be inaccurate with very small data sets. The Low
Pass Filter is designed to remove very small data sets from analysis because they often result in a
false positive.
The low pass filter is defined by the number of patterns in the set times a defined multiple. By
default, the multiple is set to 5. Suppose your pattern set consists of three patterns (Name, SSN,
CCN). In this case, analysis will not be performed unless the total number of detected patterns
exceeds 15. The total number for filter purposes is the sum of Names, SSNs, and CCNs detected
in the data set.
Low pass filter is the first analysis performed on the data set. If the data passes the filter, analysis
continues with pattern count and distribution analysis as described above.
There is a correlation between threshold and the low pass filter multiple, such that the score must
be greater than both threshold and low pass filter. Using the default value of 5, you must see a
pattern count of at least 6 before analysis will be performed.

Using Identity Profile

Identity Profile offers flexibility to control the accuracy of pattern matches against network data.
When constructing Identity fingerprints, you should understand the trade offs of using such
controls. Fidelis recommends creating multiple fingerprints to provide optimal security and
performance. For example:

1. Create a highly accurate fingerprint that will produce very low false positive rates. Use this
fingerprint in a rule with severity set to Critical. Refer to Rules. To do so consider:

• Set a high threshold. The statistics employed in Identity Profiling lead to very accurate
results when large data leakages are involved. At small sample sizes, the detection
error rates can reduce accuracy.
• Consider strictness, especially when numbers are used. Internet traffic contains many
numbers that pass validation of credit card numbers, social security numbers, bank
account numbers, and others. By reducing your matches to only those numbers that
strictly match formats, accuracy will be improved.
• Select at least two patterns within a pattern set. The detection of a single number
(such as a social security number) is error prone without context, such as a name
associated with each number. Furthermore, when choosing only one pattern,
frequency analysis cannot be performed which increases the error rate.

2. Create a second fingerprint to find all other data leakages. This fingerprint will be less
accurate but will detect all data leakages. Use this fingerprint in a rule with low severity. To do
so:

• Consider low thresholds to detect the leakage of small numbers of identities. At very
low numbers, you may need to disable or lower the value of the Low Pass Filter.
• Consider low strictness. At low levels, the Identity Profile analyzer attempts to match
modified patterns, various number formats, and partial data.
• Consider the detection of a single pattern, such as credit card numbers.
The suggestion above offers two extremes: the first will result in very low false positives. Violations
to this fingerprint should be analyzed immediately and may be considered for prevention. The
16
Profiling is the preferred method of content recognition because it relies on a description of the
content rather than a copy of the content.

Fidelis XPS Guide to Creating Policies 90

second will result in very low false negatives, but high false positives. You may want to review this
on a less frequent basis, using CommandPost’s extensive search, filter, and drill down capabilities
to discover true violations.
In practice, you may want to deploy more than two such fingerprints. The goal is to balance the
desire to “detect everything” versus the goal of managing and reacting to critical data leakage.

Define Identity Profile

From CommandPost, you can define pattern sets, alter the parameters of the statistical analysis,
and add new pattern types to be profiled.
To define Identity Profile:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information. Select Identity Profile for the Type.

2. The Patterns, Pattern sets, Generate Profile, and Advanced links appear. Refer to the
following sections to define custom patterns, pattern sets, expected distributions, and low
pass filter settings.
3. Click Save Changes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
4. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.
Define a Custom Pattern
Fidelis XPS enables you to define custom patterns for your enterprise. Patterns extend the
predefined capabilities of the identity profile analyzer. They are defined by regular expressions
similar to the regular expression fingerprint. Refer to Pattern Regular Expression.
To define a custom pattern:

1. Click Patterns. The Patterns page displays with a list of custom patterns. If the icon is
next to a custom pattern, this indicates that the custom pattern is included in the fingerprint. A
icon indicates that the pattern is not included.
If the pattern is not included in a fingerprint, it can be deleted. Custom patterns included in a
fingerprint cannot be deleted.

Figure 30. Identity Profile: patterns

2. Edit an existing pattern or enter information in the text boxes and click Add Pattern. Each
pattern will be available for inclusion in a Pattern set. Refer to Pattern Regular Expression.
Define a Pattern Set
The Pattern sets link shows a list of defined sets. A single Identity Profile may contain several
pattern sets. A match of any one pattern set will match the fingerprint.

Fidelis XPS Guide to Creating Policies 91

Figure 31. Identity Profile: pattern sets

You may edit, delete, or set a ratio for each pattern set. To add a new pattern set, click Add
template.

Figure 32. Identity Profile: Select Pattern Sets

The pattern set is defined by clicking the patterns to be included in the set.
Within the pattern set template, you can define four attributes:

• Template Name – enter a name for your template. This name will appear on the Alert Details
report if an alert is generated based on a match of this pattern set.

• Sensitivity – choose one of four settings. Refer to Frequency Analysis.

• Custom Patterns – List of custom patterns created at the Patterns link that you can click to
include.

• Predefined Patterns – List of predefined identity profile items that you can click to include.
When selecting a predefined pattern, you may choose to customize the pattern by choosing one or
more available options to limit the pattern to only the chosen attributes. If you do not customize, the
pattern will match all of the available attributes.
Note: Predefined patterns are available only on a CommandPost with Policy Feeds
enabled. Customization for predefined patterns is only available from a Master
CommandPost connected to the [Link].
You may also choose a strictness level using the slider bars, when available. Refer to Strictness in
Identity Profile.
After the pattern set is saved it can be seen on the Pattern Sets page. The description of the
pattern set will show the template name, all included patterns (predefined or custom), any chosen
customizations, and the strictness settings.

Fidelis XPS Guide to Creating Policies 92

 Table 5. Identity Profile predefined patterns

Identity Profile Description Available Customization

predefined
patterns

National ID National ID numbers U.S. Social Security Numbers

Australia Tax File Numbers
Austria Social Security Numbers
Canada Social Insurance Numbers
Czech Republic Birth Numbers
Finland HETU
France INSEE Code
Israel Identification Numbers
Japan Resident Registration Numbers
Norway Personal Numbers
Poland (PESEL)
Poland (REGON)
Poland (NIP)
Spain DNI Numbers
Sweden Personal Id Numbers
Turkey Personal Numbers
United Arab Emirates ID Numbers
UK National Insurance Numbers
Phone Provides patterns for domestic United States
and international phone numbers. United Kingdom
The International pattern includes Japan
full country dialing codes and the International
complete domestic number.
Address Postal addresses United States
United Kingdom
Japan
IBAN Bank Account International Bank Account Available for all or for selected member
Number countries.
Selecting specific countries will Refer to [Link] for more
match the IBAN bank account information about the IBAN registry.
numbers for those countries.
SWIFT/ABA Bank List of supported country codes.
Code Society for Worldwide Interbank
Financial Telecommunication
(SWIFT) codes
American Bankers Association
routing numbers used in the U.S.
Date Date ranges Enables you to specify Current, Past,
or Future dates. Dates specified are
relative to the date when the rule is
run.

Clicking Current specifies the date on

which the rule is run. Click Past or
Future and a text box opens that
enables you to specify a number of
years.

For Past years, if the number of years

entered is earlier than 1900, your entry
will not be matched.

Fidelis XPS Guide to Creating Policies 93

Identity Profile Description Available Customization
predefined
patterns

For Future years, if the number of

years entered is beyond 2099, a match
will not occur

CreditCard Not Available

Credit card numbers from the
following are included:

American Express
China UnionPay
Diners Club Carte Blanche
Diners Club International
Discover Card
JCB
Laser
Maestro
MasterCard
Solo
Switch
Visa
Visa Electron
e-mail Standard email addresses Not Available
VIN Vehicle Identification Numbers Not Available
Drug Name Names of drugs from the U.S. Not Available
Food and Drug Administration
(FDA) list of approved drugs
Magnetic Stripe Data from the magnetic stripe of a Not Available
credit card
Name Provides available patterns for Not Available
names.
Clicking Name without selecting
any customization uses a basic
name identification algorithm. To
obtain better results, customize
name matching by selecting one
or more name databases. Refer
to the description of Names in
Strictness in Identity Profile to
understand how name databases
are used.
Set Ratio
You can define a ratio for the expected distribution of your pattern set at the Set Ratio page. As
discussed in Expected Distribution there are different methods to define the expected distribution.
The Set Ratio page is used to specify a ratio manually.
To specify a ratio:

1. Click Pattern sets to view the list of defined sets.

2. Click Set Ratio next to the appropriate pattern set.

Enter ratios by placing a number between 0 and 1 for each pattern type. The total will be
calculated with each entry. When finished, the total must equal 1.

Fidelis XPS Guide to Creating Policies 94

 Figure 33. Identity Profile: Set Ratio
3. Click Save template. You can also click Policy Wizard to save changes and proceed to the
next step in creating and assigning a policy. Refer to Policy Wizard.
Generate Profile
You can define the expected ratio of your pattern set by supplying training data. Refer to Expected
Distribution. Use the Generate Profile page to generate a ratio based on one or more sample files.

Figure 34. Identity Profile: Generate Profile

To generate a profile:

1. Click to open a WinSCP session.

2. Create a data folder or use an existing one and copy your files to CommandPost.

3. Select the data folder from the list.

4. Click Train FP. The results of the training will be displayed. Click Verbose before training to
increase the information provided.

5. Click Save changes to accept the new ratio. This deletes any manually entered ratio.

6. Click Set Ratio from the Pattern sets list to make changes manually to this ratio, if necessary.
Advanced
The Advanced page is used to change the operation of the Identity Profile analyzer for this
fingerprint. Changes to these settings may impact the rate of false positives detected by the
system, therefore, using the Advanced page should be limited to users with extensive knowledge
and experience with Fidelis XPS. This page also enables you to add a custom name file that can
be used in this or in other Identity Profile fingerprints.

Fidelis XPS Guide to Creating Policies 95

Figure 35. Identity Profile: Advanced

Advanced Settings
The following settings affect the entire fingerprint:

• Analyze Unique Data Only. By default, matching of unique data is enabled. This tells the
analyzer to count multiple occurrences of the same item once. Refer to Pattern Count.
• Enable the Low Pass Filter. By default, low pass filter is enabled. It may be disabled for a
specific fingerprint. When disabled, all data sets, even those that are very small, will be
analyzed. Very small data sets may lead to inaccurate statistical analysis, which leads to false
positive fingerprint matches.

• Set the Low Pass Filter Multiple. This value only applies if the Low Pass Filter is enabled. The
default value is 5. Refer to Low Pass Filter for more information.
Add a Name File
Identity Profile uses a database of names to match the predefined Name pattern. Refer to
Strictness in Identity Profile - Names. Five such names are provided, as shown in the screen shot
above. You may view the contents of these files and you may add your own custom database of
names. After a custom name database file is uploaded, it may be used in any Identity Profile
fingerprint. Unused custom name files may be removed.
A custom name database file is a text file with UTF8 encoding, where each line in the name file
contains a single name. Any UTF8 text character can be used in the name file. Non UTF8 encoding
is not supported.

• Lines beginning with a pound (#) character are treated as comments and ignored.
• Blank lines or lines with only white space characters are ignored. Only complete names found
in the buffer are matched, not partial names.
• The ## substring on a line by itself enables substring name matching for all the names that
follow. Use this mode for Japanese, Thai, Korean, or Chinese names that are written without
separators.
To upload a new name file:

1. Click Add New File and the Add New File dialog displays.

Figure 36. Identity Profile: Add New File

2. Click Browse to find and select a file on your workstation.

Fidelis XPS Guide to Creating Policies 96

 3. Enter a unique name for the file and optionally, a description.
4. Click Go. A dialog box asks you to confirm your file selection.

5. Click OK. The selected file will be uploaded to CommandPost and verified. If it is recognized
as a text file and names can be extracted, this new file will be displayed in the list. If the file is
not compressed, it will be compressed on the CommandPost.
Note: Files can be used by multiple identity profile fingerprints.

The following Information is provided about each file.

• Name is the unique name provided when the file was uploaded.
• Comment is the description that was provided when the file was uploaded.
• Upload Date refers to the date and time when the file was uploaded.
• Names provides the count of Names extracted from the file.
• View can be clicked to see the full contents of the file. This will appear in a pop-up
window. The format will not be the same as the original file, but represents the extracted
words that will be used by the analyzer.
• Remove is active if the name file is not selected for a pattern set.
The uploaded file is available from the Name list on the Pattern Sets page.

Pattern Regular Expression

You can use regular expressions in Identity Profile to identify information specific to your enterprise
such as account or ID numbers.
At the Identity Profile>Patterns page:

1. Enter a name for the pattern.

2. Enter the regular expression. For example:
For a 7-digit account number, enter: \d{7}
For a member number starting with an uppercase letter followed by 3 to 5 digits, enter: [A-
Z]\d{3,5}
For an ID number containing 3 uppercase letters, a dash, then 4 digits, enter: [A-Z]{3}-\d{4}
For more information about using regular expressions refer to Regular Expressions in Fidelis
XPS .

3. Click Add pattern. The new pattern is available as a Custom Pattern on the Pattern Sets
page. Select the new pattern and save it in a template to include it in an Identity Profile
fingerprint. Refer to Define Identity Profile.

Strictness in Identity Profile

Strictness is used to improve the accuracy of Identity Profile predefined patterns by setting an
expectation for the format of matching patterns. The choice of strictness determines the likelihood
of a pattern match and balances the desire to find every possible match versus managing false
matches.
For example, consider social security number matching and consider the fact that most spread
sheet applications store this information as a number, unless specifically configured to store it in
another form. Also consider that valid social security numbers may begin with one or two zeros so
that a stored spread sheet number of seven digits may represent a valid social security number.
Setting low strictness, with a low threshold, will generate many false matches on 7 to 9 digit
numbers and may overwhelm your security organization. Instead setting high strictness will reduce
matches to strict formatting of 123-45-6789, including the dashes, and will not match other formats.
Medium strictness may offer the balance between the two extremes
Fidelis recommends using a multiple fingerprint approach. Refer to Using Identity Profile.

Fidelis XPS Guide to Creating Policies 97

Several patterns supported in Identity Profile permit strictness to be configured in the GUI.
Strictness settings establish a required strictness that observed patterns in network traffic have to
meet or exceed to be considered a match. Each pattern such as National ID, Address, or IBAN
Bank Account Number, assigns an observed strictness in the 0-11 range when it finds a match.
The patterns that support configurable strictness are described in the sections below. For each
pattern a detailed description of the analyzer behavior is provided.
Note that a fingerprint setting looks for a pattern that matches “at least” the configured
strictness value. For example, a fingerprint pattern set to strictness 7 will match any
pattern observed to be strictness 7 through 11.

Details: Strictness by Pattern

Identity Profile assigns strictness to the patterns observed in network traffic. This strictness reflects
the appearance of the data. This strictness takes into account how the pattern is broken across
word boundaries, the intervening word separators used, and other nearby words in context.
The patterns that support configurable strictness are described in the sections below. For each
pattern a detailed description of the analyzer behavior is provided.
National ID
Identity Profile supports strictness for National ID numbers of several countries. Strictness differs
depending on the National ID Number.

Australia Tax File Number (TFN)

• Strictness 11: The TFN is written as either a single, correctly-formatted word of eight or nine
digits; or as a correctly formatted triplet of numbers, each of length two or three. If written in
the triplet form, the first word's trailing separator must be a space or hyphen, and must be the
same as the second word's trailing separator. Examples that match strictness 11:
252500931
252-500-931
252 500 931
• Strictness 1: The TFN, at strictness 1, is a triplet of correctly formatted words. Additionally, the
first separator is something other than a space or hyphen; or the second separator must not
match the first. Examples that match strictness 1:
252.500.931
252-500 931
Austria Social Security Number

• Strictness 11: The number is ten digits long, written as either a single number or as two words
of 4 digits and 6 digits respectively. The checksum and date ranges must be valid. Examples
that match at strictness 11:
5800020184
3638 070925
Canada Social Insurance Number

• Strictness 11: The number at strictness 11 consists of either a single number of 9 digits or as
3 sets of 3 correctly formatted digits. Furthermore in the latter form, the separator must be a
space or hyphen. Examples that match strictness 11:

244896833
244-896-833
244 896 833
• Strictness 1: At strictness 1, the number is written as three sets of three digits. Also, either the
first separator is not a space or tab, or the second separator does not match the first
separator. Examples that match strictness 1:

Fidelis XPS Guide to Creating Policies 98

 244.896.833
244-896 833
Czech Republic Birth Number

• Strictness 11: The number at strictness 11 consists of 10 digits without separators. Examples
that matches strictness 11:
7702287131
9860306137
772228/7131
Finland HETU

• Strictness 11: has 6 digits, then a plus +, a hyphen -, or an A, followed by 4 digits. Examples
that match strictness 11:
041058+2910
120139A8888
270577-539P
France INSEE Code

• Strictness 11:The number at strictness 11 consists of a 15 digit number without separators.

Example that matches strictness 11:
210047931803387
168022524930336
Japan Resident Registration Number

• Strictness 11:The number at strictness 11 consists of an 11 digit number without separators.

Example that matches strictness 11:
12345678999
Israel Identification Number

• Strictness 11: The number at strictness 11 consists of 7 to 9 digits without separators.

Numbers with less than 9 digits are automatically zero-padded at the front if necessary.
Examples that match strictness 11:
007643919
151932878
16569196
Norway Personal Identification Number

• Strictness 11:The number at strictness 11 consists of either a single number of 11 digits or as

two correctly-formatted numbers of lengths six and five respectively. Furthermore in the latter
form, the separator must be a space or hyphen. Examples that match strictness 11:
18097957556
180979-57556
180979 57556

• Strictness 1: The number at strictness 1 is written as two numbers of length six and five
respectively but which are separated by something other than a space or hyphen. Example
that matches strictness 1:
180979,57556

Fidelis XPS Guide to Creating Policies 99

Poland PESEL, NIP, REGON
These three types of Polish identity numbers are recognized when Polish national ID recognition is
enabled.

• PESEL
Poland PESEL follows the same strictness rules that apply to Norway Personal Identification
Numbers.

• NIP
Strictness 11: the NIP number is written in any of these three forms (where D is a digit): DDD-
DD-DD-DDD, DDD-DDD-DD-DD, DDDDDDDDDD. The latter form may also be prefaced with
PL. The checksum calculation must be valid. Examples that match strictness 11:
802-768-24-29
592-08-70-647
592-08-70-647
PL1583122926

• REGON
Strictness 11: the REGON number is written as a 7, 9, or 14 digit number having a valid
checksum calculation. Examples that match strictness 11:
5465904
676363348
80242838662962
Spain National ID Number (DNI)

• Strictness 11: The DNI number is 8 digits followed by a letter. It can be written as two
hyphenated words or as a single word. The checksum letter must be valid. Examples that
match strictness 11:
88563213-B
34342204F
Sweden Personal ID Number

• Strictness 11:Can contain any one of the following:

6 digits, a hyphen, then 4 digits,
8 digits, a hyphen, then 4 digits,
10 digits
12 digits
Examples that match strictness 11:
2012102220
541225-9227
20360883-1776
Turkey Personal Number

• Strictness 11: The number consists of 11 digits without separators. The last two digits are
check digits, and must be valid.

Fidelis XPS Guide to Creating Policies 100

United Arab Emirates Nations ID Number

• Strictness 11: The ID must be a valid quadruplet of numbers separated by hyphens. The first
number must be 784 (the country code for UAE), the second must be four digits representing
a year (19XX or 20XX), the third is seven random digits, and the fourth is a single check digit
(which is not validated). The trailing separator can be white space or a comma. The preceding
separator must match the trailing separator. Examples that match Strictness 11:
784-1984-0987654-0
784-1968-8765432-1
784-2004-7654321-5
• Strictness 6: Valid quadruplet of numbers with spaces separating each group of numbers.
Examples that match strictness 6:
784 1984 0987654 0
784 1968 8765432 1
784 2004 7654321 5
• Strictness 5: Valid quadruplet of numbers with consistent non-hyphen separators, or no
separators. Examples that match strictness 5:
784,1984,0987654 0
784*1968*8765432 1
784200476543215
• Strictness 4: Hyphen separated number with valid country code, year, and number, but no
check digit; An otherwise valid number with different before and after separators; a single
number with the first four digits being a year, with seven remaining digits. Examples that
match strictness 4:
784-1984-0987654
+784-1968-8765432-1,
19786543219
• Strictness 3: Valid quadruplet of numbers whose first and second separators match, but not
the third; Valid quadruplet of numbers with no separator, and different before and after
separators. Examples that match strictness 3:
784-1984-0987654+0
+784196887654321,
• Strictness 1: The ID is strictness 1 if it appears in one of the following forms: A valid
quadruplet of numbers whose first and second separators do not match. For example:
784-1984+0987654-0
A valid quadruplet of numbers with more than one separator character between the first two
numbers or second and third numbers. For example:
784,,1984-0987654-0
784-1984,,0987654-0
United Kingdom National Insurance (NI) Number

• Strictness 11: At strictness 11, the NI can be written either as a single, valid alphanumeric
word or as a triplet (a valid two-letter word followed by three pairs of numbers). If written in the
latter form, the first word's separator must be space or tab and must match the other two
separators. Examples that match strictness 11:
XL 74 68 36
WH090576

Fidelis XPS Guide to Creating Policies 101

 • Strictness 1: The NI written at strictness 1 consists of a valid two-letter word followed by three
pairs of numbers. Additionally, the first of your words must have a trailing separator other than
space or tab; or the other two separators must be different from the first separator. Examples
that match strictness 1:
XL-74-68-36
XL 74 68-36
United States Social Security Number (SSN)
Strictness provides support for numbers across cells in a spreadsheet. This is generally ignored at
high strictness settings, but allowed at low settings. For example, if a U.S. Social Security Number
appears as three digit groups (aaa bb cccc) in three separate cells of a spreadsheet, the SSN
matches at strictness 5.

• Strictness 11: The SSN must be a valid triplet of numbers separated by hyphens. The first
number must be three digits, the second number must be two digits, and the final number
must be four digits. The trailing separator can be white space or a comma. The preceding
separator must match the trailing separator. Examples that match strictness 11:
044-56-6843
044-56-6843,
,044-56-6843,
• Strictness 6: Consists of a valid triplet of numbers with spaces between each group of
numbers. Example that matches strictness 6:
044 56 6843
• Strictness 5: The SSN must either be a valid triplet of numbers with consistent, non-hyphen
separators or a plain, valid nine-digit number. Examples that match strictness 5:
044566843
044,56,6843
044*56*6843

• Strictness 4: The SSN is a single number with different before and after separators. Examples
that match strictness 4:
-180079444,
• Strictness 3: The SSN has a trailing separator that is not a white space or comma. Examples
that match strictness 3:
180079444:
180079444-

• Strictness 1: The SSN is strictness 1 if it appears in one of the following forms:

• A valid triplet of numbers whose first and second separators do not match.
044-56,6842

• A 7 or 8 digit number that forms a valid SSN when prefixed with zeroes.
3987232 or 44566842

Phone
International
International means any domestic number in any of the countries we support, or any of the country-
to-country forms.

• Strictness 11: International phone numbers written as multiple groups of digits, with a valid
dial out prefix, country code, and trailing digits have this strictness. Examples that match
strictness 11:

Fidelis XPS Guide to Creating Policies 102

 +690 0 880 68575
011 45 536 34477
• Strictness 5: International phone numbers written as a single, long number of 8-10 digits with
a valid calling code have this strictness. Examples that match strictness 5:
+690088068575
+0114553634477

• Strictness 1: International phone numbers written without a dial out prefix, or written as a
single, long number of 8 to 10 digits that is not prefixed with +. Examples that match strictness
1:

690088068575
0114553634477
United Kingdom

• Strictness 11: a UK domestic phone number, 10 or 11 digits total, in groups of at least 3 digits.
Examples that match strictness 11:
08457 740 740
02933 345 612
United States

• Strictness 11: written as two or three groups of numbers in the form of a 3 digit area code,
followed by 3 digit prefix, optional separator, and 4 trailing number. Examples that match
strictness 11:
301.652.7190
301-652-7190
(301) 652-7190
3016527190
• Strictness 5: an 11-digit number whose first digit is a 1 followed by a valid area code then
trailing digits. Example that matches strictness 5:
13016527190

• Strictness 3: Phone numbers written as area code, separator, then three or seven digits, but
whose ending separator is not white space or comma are at this level.
Japan (Domestic Phone Numbers)

• Strictness 11: matches a geographic number or landline of 10 digits beginning with 0 and
having a valid area code. This strictness also matches a mobile number of 11 digits beginning
with 050, 070, 080, or 090. Examples that match strictness 11:
(0476) 34-6251
09077223557

• Strictness 4: matches a geographic number or landline of 9 digits where the leading 0 has
been omitted but the area code is otherwise valid. This strictness also matches a mobile
number of 10 digits where the leading 0 has been omitted, thus having a prefix of 50, 70, 80,
or 90. Examples that match strictness 4:
312345678
90 7722 3557

• Strictness 1: Matches a phone number written as either a single word, or in multiple digit
groups, where the full number has additional numbers either preceding or succeeding it,

Fidelis XPS Guide to Creating Policies 103

 which are not part of the phone number. Or, the phone number is written as multiple groups of
digits, but the area code portion is not written as its own group.

033 212 2323

99 03 3212 2323
99 03 3212 2323 00
Address
Japan

• Strictness 11: Japanese addresses are matched in either western form where the post code
typically appears at the end, or Japanese style where the post code typically appears at the
beginning. The post code consists of seven digits and may be written in two words “abc-defg”
or as a single number “abcdefg”. The post code must be valid and preceded or followed by a
prefecture name in English or Japanese.
Western form:
7-2, Marunouchi 2-Chome,
Chiyoda-ku, Tokyo 100-8799
• Strictness 4: This matches text containing a valid Japanese postal code but without a
prefecture name in English or Japanese in close proximity to the postal code.
United Kingdom

• Strictness 11: At this strictness level, the first word of the address must start with a number.
The following separator must be a space or a comma. (In case of multiple contiguous
separators, one will be chosen using precedence rules). There must be at least two words
between this initial word and the UK post code which terminates the address. The intervening
words must have only basic separators such as space, comma, or a new line but excluding
separators such as a semicolon. An example that matches strictness 11:
32 West End
Liverpool
SW1A 1AA
United States

• Strictness 11: A number followed in close proximity by a U.S. zip code.

International Bank Account Number (IBAN)

Handling of IBAN numbers, including assignment of strictness, does not vary according to the
number's associated country.

• Strictness 11: The IBAN number is written as a single alphanumeric word or as several
groups of characters separated by whitespace. Examples that match strictness 11:
FO6912345555555555
GR9112345678888999988889999
GR91 1234 5678888999988889999

• Strictness 1:The IBAN number appears as multiple groups of characters having non-white
space separators. Examples that match strictness 1:
GR91 1234-5678888999988889999
GR91;1234;5678888999988889999
SWIFT/ABA Bank Code
Strictness levels for Society for Worldwide Interbank Financial Telecommunication (SWIFT) codes
are:

Fidelis XPS Guide to Creating Policies 104

 • Strictness 11: matches a Society for Worldwide Interbank Financial Telecommunication
(SWIFT) code of 8 or 11 characters that include a country code where SWIFT is in common
use. Examples that match strictness 11:
MIDL GB 22
MIDL GB 22XYZ
BOFA US 3N XYZ

• Strictness 1:matches a SWIFT code of 8 or 11 characters that include a country code where
SWIFT is less commonly used. Examples that match strictness 1:
ABCDAQAB
Strictness levels for American Banker's Association (ABA) numbers are:

• Strictness 11: The ABA number is 9 digits, or shorter than 9 digits but preceded and followed
by white space or a double quote.
• Strictness 10: The ABA number is shorter than 9 digits but preceded by white space or a
double quote.
• Strictness 3: The ABA number is shorter than 9 digits and is not preceded by white space.
The valid delimiters for ABA routing numbers are listed below.
Space: ' '
New line: '\n'
Carriage return: '\r',
Tab: '\t'
Double quote: "
Credit Card

• Strictness 11:The credit card number is written as three or four groups of digits, having the
standard grouping used by the card issuer (for example: 4-4-4-4 for Visa/MasterCard, or 4-6-5
for American Express), having only consistent space and hyphen separators between digit
groups. The full credit card number is surrounded by only basic separators including newline,
space, comma, brackets, and period. Examples that match strictness 11:
3498-330730-10575
4175-0086-3766-6243
6222-802164-879155

 Strictness 8: allows only white space around long credit card numbers (no internal delimiter).
349833073010575
6222877822566568
• Strictness 7: The credit card number is written as a single number of 12-19 digits, surrounded
by separators including white space (including newline), comma, brackets, or period.
123. 349833073010575
• Strictness 5: The card number has one of these forms:

• two groups of digits

• three to four groups of digits, having consistent but non-standard separators between
digit groups (that is, separators other than hyphen or space).
• two to four groups of digits, but not in the standard grouping used by the card issuer (e.g.
4-4-4-4 for Visa/MasterCard, or 4-6-5 for American Express).
Examples that match strictness 5:
4175+0086+3766+6243

Fidelis XPS Guide to Creating Policies 105

 6228602 854897051

• Strictness 4: The card number has one of these forms:

• It is written as a single number of 12-19 digits, but is surrounded by separators other

than the basic ones (whitespace, newline, comma, brackets, and period).

• The card number is written as two to four groups of digits, but the separators before and
after the card number fall outside of the basic ones (whitespace, newlines, comma,
brackets, and period).
Examples that match strictness 4:
^349833073010575
-6222-8021-6487-9155
3498-330730-10575;
$6222-8021-6487-9155

• Strictness 1:The card number is written as two to four groups of digits, having varying
separators between digit groups. An example that matches strictness 1:

3498+330730-10575;
Date
The valid date delimiters are listed below. . All delimiters are treated with the same
strictness rules.
Space: " "
Dot: "."
Hyphen: "-"
Comma: ","
Slash: "/"
Backslash: "\"
Comma then space: ", "
Dot then space: ". "

• Strictness 11: A date is some combination of day, month and year. At strictness 11, all parts
of the date must appear on the same line. Japan, traditional era, Western, Unicode, or Kanji
dates match at strictness 11. Two-digit years less than 30 are considered to be 20YY, while
two-digit years greater than or equal to 30 are considered to be 19YY. Descriptions of
Japanese characters below are surrounded by < and > symbols. Examples that match
strictness 11:

Japanese date separators with western digits:

1969<Year Kanji>7<Month Kanji>20<Day Kanji>
Japanese date separators with Kanji digits:
<Year in Kanji digits><Year Kanji><Month in Kanji digits><Month Kanji><Day in Kanji
digits><Day Kanji>
Emperor date with western digits:
<Emperor Kanji 1><Emperor Kanji 2>43<Year Kanji>7<Month Kanji>20<Day Kanji>
Narrow Emperor date with western digits:
<Narrow Emperor Kanji>43<Year Kanji>7<Month Kanji>20<Day Kanji>
Emperor date with Kanji digits:

Fidelis XPS Guide to Creating Policies 106

 <Emperor Kanji 1><Emperor Kanji 2><Emperor Year in Kanji digits><Year
Kanji><Month in Kanji digits><Month Kanji><Day in Kanji digits><Day Kanji>
Narrow Emperor date with Kanji digits:
<Narrow Emperor Kanji><Emperor Year in Kanji digits><Year Kanji><Month in Kanji
digits><Month Kanji><Day in Kanji digits><Day Kanji>
• Strictness 8: A date is some combination of month and year. At strictness 8, all parts of the
date must appear on the same line. Japan, traditional era, Western, Unicode, or Kanji dates
match at strictness 8.
Two-digit years less than 30 are considered to be 20YY, while two-digit years greater than or
equal to 30 are considered to be 19YY. Descriptions of Japanese characters below are
surrounded by < and > symbols. Examples that match strictness 8:
Japanese date separators with western digits:
7<Month Kanji> 1969<Year Kanji>
Japanese date separators with Kanji digits:
<Month in Kanji digits><Month Kanji><Year in Kanji digits><Year Kanji>
Emperor date with western digits:
7<Month Kanji><Emperor Kanji 1><Emperor Kanji 2>43<Year Kanji>
Narrow Emperor date with western digits:
7<Month Kanji><Narrow Emperor Kanji>43<Year Kanji>
Emperor date with Kanji digits:
<Month in Kanji digits><Month Kanji<Emperor Kanji 1><Emperor Kanji 2><Emperor
Year in Kanji digits><Year Kanji>
Narrow Emperor date with Kanji digits:
<Month in Kanji digits><Month Kanji> <Narrow Emperor Kanji><Emperor Year in
Kanji digits><Year Kanji>

• Strictness 3: A combination of year and month.

Vehicle Identification Number (VIN)

• Strictness 11: The VIN is 17 characters long, begins with a valid World Manufacturer
Identifier, and passes a checksum calculation. An example that matches strictness 11:
TMBPW16Y243935119

• Strictness 5: The VIN is 17 characters long, begins with a valid World Manufacturer Identifier,
but fails a checksum calculation. Many valid VINs outside of North America will have this
strictness. An example that matches strictness 5:
TMBEGF614W0828390
Name
Names are compared against a database of names. The following name databases are provided
with Fidelis XPS software:

• U.S. census data includes names extracted from the latest census data. This database
provides the widest coverage of name recognition, however, the data also includes many
common words which can be misinterpreted as names.
• U.S. Popular Names is a version of the U.S. census data reduced to the most popular first
names and surnames with common English words removed. This is more restrictive than the
U.S. census database.
• UK Popular Names includes popular last names extracted from UK census information.

Fidelis XPS Guide to Creating Policies 107

 • France Popular Names includes popular French last names.
• Japan Popular Names includes popular Japanese names. This database consists of
Japanese characters and includes names written in different character sets.
It is possible to create a custom name file and upload it to CommandPost via the GUI. Refer to the
Advanced section in Define Identity Profile.
Identity Profile first detects a potential name, as a sequence of two to four words that are verified
against a selected database. All words longer than 1 character are checked against the name
database specified when you define a pattern set.

• Strictness 11: Name consists of two to four name words with uppercase letters and
separators including white space, comma, period, and dash. One of the name words may be
an uppercase initial located in the middle or at the end of the name. An example that
matches:
Neumann, John

• Strictness 4: The name satisfies same criteria as strictness 11 but includes lowercase name
[Link] that match:
von Neumann, John
von neumann, john

• Strictness 1: The name satisfies strictness 4 criteria, but allows any separators between name
words and may have an initial that precedes the name. An example that matches:
von Neumann, John * JOHNNY

Testing Stri ctness

For testing purposes, it can be helpful to see the observed strictness levels on matches for a
particular test file. This can be done through the CommandPost using the verbose-mode Test
feature. Refer to Test Results for Content Fingerprints for an explanation of the output.

Figure 37. Testing strictness

Identity Profile Score

The score of the Identity profile analyzer is set to the pattern count, as described in Pattern Count.
To match an Identity Profile fingerprint, the network data must include a pattern count greater than
the threshold defined on the General page.
However, the following exceptions apply:

• If sensitivity is on then frequency analysis is performed. The score will be zero if frequency
analysis fails, even if the pattern count exceeds the threshold.

•
17
Because identity profiling is statistically based, the network data must exceed the Low
Pass Filter. If the data set is too small, there will be no analysis, and therefore, no score.

17
Profiling is the preferred method of content recognition because it relies on a description of the
content rather than a copy of the content.

Fidelis XPS Guide to Creating Policies 108

Keywords
The keywords analyzer identifies matches and combinations of matches with words or phrases that
you can specify. A keyword fingerprint can be used to define a profile for the identification of digital
assets. Examples include sensitive project documents, source code, documents containing
watermarks, classified documents, etc. It can also be used to identify inappropriate language and
other violations of corporate network usage policies.
A keyword fingerprint can be created using one of two methods:

• Enter the keywords or phrases manually. Such words can make use of a built-in dictionary of
hypernyms and hyponyms (collectively referred to as synonyms in the GUI).

• Use the Fidelis XPS keyword generator to identify keywords within sample documents. This
method is similar to using the Partial Content registration method. In most cases, manual
keyword entry or the use of a partial Content fingerprint will provide better results than the
keyword generator.
The keyword generator is useful in cases where you would like to register all sensitive documents,
but you do not have access to every document.
The fingerprint uses a scoring system where each expression is provided a weighted score. Scores
are used to determine the likelihood that the found content matches, or does not match, your
profile. Use positive numbers for expressions that are highly likely to match your profile. Use
negative numbers for expressions that indicate that the transferred data is not part of the profile.

Define Keywords Manually

To define keywords:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
2. Click Save Changes. The Keywords and Generate Profile links appear.

.
Figure 38 . Keywords Edit page

3. Click Keywords. You can edit an existing keyword directly on the page or click Add keyword to
display new text boxes. Delete removes a keyword.
4. Enter one or more keywords and attributes for each as needed.

• Synonym: Refer to Synonyms for a description of this feature.

Fidelis XPS Guide to Creating Policies 109

 • Match case can be checked to force the keyword analyzer to match only the exact case
of the entered keyword or phrase. If left unchecked, the analyzer will perform case-
insensitive matches.

• Whole word can be checked to force Fidelis XPS to match the exact word. If left
unchecked, matches will be made when the keyword is found within other words. For
example, “cat” would match “cats” only if whole word was not checked.
• Score is the value to apply to when the keyword is found. The number may be positive or
negative. Keywords use the score of each keyword to create a total score. If the total
score exceeds the threshold, the fingerprint will match.

• Limit is the number of times the keyword may be used to change the total score. Limits
can be set to reduce the influence of a word that may occur many times in transmitted
messages and file.

5. Click Save Changes. After saving, the list of keywords is sorted alphabetically.
6. Click General and adjust the threshold so that the keywords are not hitting unexpectedly. For
example if all keywords have a score of 1, make it one less than the total number of
keywords.
You can also click Policy Wizard to save changes and proceed to the next step in creating and
assigning a policy. Refer to Policy Wizard.
If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints.

Generate Keywords
The keyword generation process accepts input files, which are scanned for words common to all
files. The process works well when all files are similar. In this case, the result will be a profile that
can be used to identify other similar files. If the set of files presented to the generation process are
18
not similar to each other, the list of keywords may not be beneficial for profiling purposes.
To create a keyword fingerprint based on profile generation:

1. Identify documents that represent the profile that you would like to create.

a. Enter general information about the fingerprint. Refer to Add a Content Fingerprint
and The General page for more information.
b. Click Save Changes. The Keywords and Generate Profile links appear.
c. Click Generate Profile.

2. Click to open a WinSCP session

3. Create a CommandPost data folder and copy the files identified in step 1.

4. Select the appropriate data folder in the drop down list.

5. Click Match Case, if desired.

6. Click Generate. A keyword list is created if there were no errors in the process. At the end of
the list is the output of the generation process including any errors.
You can edit the generated fingerprint. The Delete and Add Keyword buttons work the same
as they do on the Keyword page. Refer to Define Keywords Manually . Clicking Clear removes
all keywords.

7. Click Save Changes. This will replace any keywords already saved by the manual process or
the generation process. Click OK at the confirmation dialog box. A fingerprint is generated
based on the sample files.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

18
Profiling is the preferred method of content recognition because it relies on a description of the
content rather than a copy of the content.

Fidelis XPS Guide to Creating Policies 110

 8. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints. For
information about verbose testing results, refer to Test Results for Content Fingerprints
Note: Generated keyword fingerprints do not use the synonym feature.

Keywords Score
The score of the Keywords analyzer is the total score of all keywords found in the transmitted data.
Each keyword has its own score as defined in the fingerprint. The result is a weighted score of the
analysis.
The total score must exceed the threshold for the fingerprint to match.

Keyword List
19
Keyword List enables you to create a fingerprint containing a large set of keywords in a text file
and uploading this file to CommandPost. Keyword List is optimized for lists of keywords that
exceed 1000 words. The Keywords analyzer is better for smaller lists that are entered using the
GUI.
Any UTF8 text file can be used in the keyword list file. Non-UTF8 encoding is not supported. Each
line in the keyword list file is a keyword or keyword phrase with white space characters (spaces or
tabs) between keywords. Any UTF8 text file can be used in the keyword list file. Non UTF8
encoding is not supported.

• Lines beginning with a pound (#) character are treated as comments and ignored. For a
keyword that begins with #, use a backslash (\) to escape it. There is no need to escape the #
character if it occurs anywhere else within the line.
• Blank lines or lines with only white space characters are ignored. white space characters are
canonicalized when loading the keyword list file and during runtime analysis of network traffic.
This means that multiple consecutive white space characters (combinations of spaces, tabs,
or new lines) in the buffer are reduced to a single white space character for more accurate
matching across a combination of white space characters or for matching across extra white
space characters. Only complete keywords found in the buffer are matched, not partial
keywords.

Define Keyword List

To define a Keyword List fingerprint:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
2. Click Save Changes. The Content link appears.
3. Click Contents. You will see a list of all files that have been previously uploaded to
CommandPost. These are referred to as Container files. If there are no container files on
CommandPost, you will see an empty list.
4. To upload a new container file, click Add New File and the new file dialog will display.

Figure 39. Keyword List: Add New File

a. Click Browse to find and select a file on your workstation.

b. Enter a unique name for the container and optionally, a description.
c. Click Go. A dialog box asks you to confirm your file selection.

19
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).

Fidelis XPS Guide to Creating Policies 111

 d. Click OK. The selected file will be uploaded to CommandPost and verified. If it is
recognized as a text file and keywords can be extracted, this new container will be
displayed in the container list.
Note: Containers can be used by multiple keyword list fingerprints and a single
fingerprint may include multiple containers.

Figure 40. Keyword List: Contents

5. To choose container files for use in the fingerprint, click the associated Use checkbox. If Use
is unselected, all other controls, except delete, are disabled.
Information is provided about the container file to aid in your selection.

• Name is the unique name provided when the file was uploaded.
• Comment is the description that was provided when the file was uploaded.
• Upload Date refers to the date and time when the file was uploaded.
• Keywords provides the count of words extracted from the container.
• View can be clicked to see the full contents of the container file. This will appear in a
pop-up window. The format will not be the same as the original file, but represents the
extracted words that will be used by the analyzer.

6. Select attributes to apply to the container file:

• If Match Case is selected, the case, as written in the container file, will be utilized. If
Match Case is unselected, keyword matching is case independent.
• Choose a limit to be applied to the words in the container file. If the limit is set to 0, all
matching words will be counted. If the limit is set to a number, then each word in the
container file will be counted, at most this many times. For example, if the limit is set to
two, each word in the container will be counted only twice even if it appears in network
traffic more frequently.

7. Click to remove a container file. If the Use checkbox is clicked, remove will not be available.
Because a container may be used by another fingerprint, the remove operation must be
validated by CommandPost. If it is determined that the container is in use, either by the last
saved version of the current fingerprint or by another, the remove operation will be denied.
8. Click Save Changes. to save the fingerprint will all selected containers an attributes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
Note: The modification of container files, either by removing or adding new, will result
in a Policy Update requirement for each sensor. This will be true if the container is
currently in use or not.

9. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

Fidelis XPS Guide to Creating Policies 112

 Keyword List Score
The score of the Keyword List analyzer is the total count of all keywords found in the transmitted
data. Each keyword is counted up to the selected limit for the container file. A limit of zero is
unlimited matching of each word.
The score must exceed the threshold for the fingerprint to match.

Keyword Sequence
The keyword sequence analyzer identifies matches of keywords that occur in a specific order. A
keyword sequence fingerprint can be used to define a profile for the identification of digital assets.
Examples include sensitive project documents, legal disclaimers, and violations of other corporate
policies. A keyword sequence fingerprint can also be used to identify a form, such as a time sheet,
health coverage election form, or contract proposals.
Note that in the matching data, keywords can be interposed with arbitrary data. Only the order of
keywords is important, not their adjacency.
For example, for keyword sequence keyword1, keyword2, keyword3 the following data will match
keyword1 user data keyword2 user data keyword3 user data
A keyword sequence fingerprint can be created using one of two methods:

• Enter the keywords or phrases manually. Such words can make use of a built-in dictionary of
hypernyms and hyponyms (collectively referred to as synonyms in the GUI).

• Use the Fidelis XPS keyword sequence generator to identify keyword sequences within
sample documents. This method is similar to using the Partial Content registration method.
Refer to Partial Content. In most cases, manual keyword entry or the use of a Partial Content
fingerprint will provide better results than the keyword sequence generator.
The keyword sequence generator is useful in cases where you would like to register all sensitive
documents, but you do not have access to every document. Your alternative is to create a keyword
sequence profile which will match documents similar to the one used for keyword sequence
generation.

Define Keyword Sequence Manually

To define a keyword sequence:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
2. Click Save Changes. The Keywords and Generate Profile links appear.

Figure 41. Keyword Sequence Edit page

3. Click Keywords. You can edit an existing keyword directly on the page or click Add keyword to
display new text boxes. Delete removes a keyword.

Fidelis XPS Guide to Creating Policies 113

 4. Enter one or more keywords and attributes for each as needed.

• The keyword can be a word or phrase (including spaces). The analyzer will search for
the exact word or phrase, as typed, in the data transmission.

• Synonym: Refer to Synonyms for a description of this feature.

• Match case can be checked to force the keyword analyzer to match only the exact case
of the entered keyword or phrase. If left unchecked, the analyzer will perform case-
insensitive matches.
• Score is the value to apply to a total score when the keyword is found. The number may
be positive or negative. Keyword Sequence uses the score of each keyword to create a
total score. If the total score exceeds the threshold, the fingerprint will match

5. Click Save Changes. After saving, the list of keywords is sorted alphabetically.
6. Click General and adjust the threshold so that the keywords are not hitting unexpectedly. For
example if all keywords have a score of 1, make it one less than the total number of
keywords.
You can also click Policy Wizard to save changes and proceed to the next step in creating and
assigning a policy. Refer to Policy Wizard.

7. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

Generate Keyword Sequence

The keyword sequence generation process accepts input files, which will be scanned for
sequences of words common to all files. The process works well when all files are similar. In this
case, the result will be a profile that can be used to identify other similar files. If the set of files
presented to the generation process are not similar to each other, the list of keywords may not be
20
beneficial for profiling purposes.
To create a keyword sequence fingerprint based on profile generation:

1. Identify documents that represent the profile that you would like to create.

a. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
b. Click Save Changes. The Keywords and Generate Profile links appear.
c. Click Generate Profile.

2. Click to open a WinSCP session

3. Create a CommandPost data folder and copy the files identified in step 1.

4. Select the appropriate data folder in the drop down list.

5. Click Match Case, if desired.

6. Click Generate. A keyword list is created if there were no errors in the process. At the end of
the list is the output of the generation process including any errors.
You can edit the generated fingerprint sequence. The Delete and Add Keyword buttons work
the same as they do on the Keyword page. Refer to Define Keyword Sequence Manually .
Clicking Clear removes all keywords.

7. Click Save Changes. This will replace any keywords already saved by the manual process or
the generation process. Click OK at the confirmation dialog box. A fingerprint is generated
based on the sample files.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

20
Profiling is the preferred method of content recognition because it relies on a description of the
content rather than a copy of the content.

Fidelis XPS Guide to Creating Policies 114

 8. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.
Note: Generated keyword sequence fingerprints do not use the synonym feature.

Keyword Sequence Score

The score of the Keyword Sequence analyzer is the total score of all keywords found in the
transmitted data. Each keyword has its own score as defined in the fingerprint. The result is a
weighted score of the analysis.
Keywords are not counted when detected out of sequence. For example, consider a keyword
sequence of six words: k1, k2, k3, k4, k5, and k6. Suppose each has a score of 1 and the threshold
is set to 3. This fingerprint will match on a sequence of at least 4 words. Now suppose the following
is detected in network traffic:
1. k1 other other k2 other other k6
2. k3 other other other
3. k1 other other other k2 k3
4. other other other k4
When the first line is encountered, detection of keywords k1 and k2 will increment the score to 2.
The score will not increase until the next keyword in the sequence (k3) is found on the second line.
Note that other keywords occur out of sequence between k2 and k3, which do not impact the score.
In this example, a score of 4 is found at the fourth line with detection of k4. This detection will
generate a keyword match.
Thus, the score is the total sum of any sequence of keywords detected. That sequence may be
broken by the detection of out-of-order keywords.

Synonyms for Keywords and Keyword Sequence

You can direct the keyword analyzer to use synonyms of your keywords. In reality, the keyword
analyzer is using hypernyms and hyponyms. Use of this function can help you create a more robust
set of keywords for detection of sensitive information. Fidelis uses an open source lexical database
of the English language to implement this feature.

• A hypernym is a more general example of a word. For example, hypernyms of automobile

include car, auto, motorcar, and machine.
• A hyponym is a more specific example of a word. For example, hyponyms of automobile
include convertible, coupe, sedan, SUV, and minivan.
To use synonyms:

1. Click Synonym next to the desired keyword. A dialog box will display below the keyword
containing the matching hypernyms and hyponyms.

Figure 42. Keywords: Synonyms

2. You can change the level of hypernyms and hyponyms by clicking to increase the level or
by clicking to decrease the level. Available levels range from 0 – 3, with a default of 1.
Score, Limit, and Whole word settings apply equally to synonyms and to keywords. It is not
possible to match case when using the synonym database, therefore match case and
synonyms are mutually exclusive.

Fidelis XPS Guide to Creating Policies 115

 When you change levels you are asking the system to match words farther up or down the
lexical database. For example, at level=1 the more general (hypernym) of automobile is
car, auto. motorcar, and machine. At level=2, the system provides the hypernym for each
of these words. Increasing the specific (hyponym) value performs similarly. Therefore, as
you increase the levels, the number of matching words may increase dramatically.

If you enter a new keyword, click to retrieve synonyms for the keyword.
The sensor will work with the same lexical database. CommandPost allows you to visually
see the list of matching words, but they cannot be edited.

3. After you save a fingerprint with synonyms, the dialog box will be hidden the next time you
edit the fingerprint. To see the dialog box press the +. To hide the box, press -.

Partial Content
The partial content analyzer relies on documents registered with CommandPost. The
21
registration process requires a user to copy one or more files to the CommandPost and
generate a fingerprint. After the fingerprint is generated and saved, all documents can be removed
from CommandPost.
Fingerprint generation creates a binary array to identify portions of the registered document. The
generation process divides a document into “windows” of data. Each window is defined by a size,
represented in a number of words.
Each window is scanned and stored as a binary segment in the generated fingerprint. There is no
process to recover the original words, their order, or the original file names from the fingerprint. The
result is a secure storage of critical information, which cannot be used to reconstruct the original
information.
At runtime, the partial content analyzer scans windows of words stepping one word at a time. In
every scan, it attempts to check if all the bits corresponding to the words in the window are set.
One missing word is enough to invalidate a window causing the analyzer to continue to test the
following one. If all the words in a window were matched to the array, the analyzer increases the
score by one.
The analyzer guarantees zero false negatives, however as the binary array grows, with more
registered files, the probability of false positives will gradually increase. In theory, the analyzer is
designed at one false positive per trillion registered words, however, in practice, registering a
document and matching against very similar documents will result in a higher false positive rate.
The false positive rate can be decreased by either enlarging the window size or by increasing the
fingerprint threshold. Those parameters are highly dependant on the nature of data.
The partial content analyzer can flag or prevent the transfer of a registered file, or portions of that
registered file that were pasted into other contexts. Partial Content is useful in situations when
22
profiling is not possible, and when sensitive files can be located and copied to CommandPost for
(at least) a brief time.
Partial Content analysis is based on detection of words within textual content. It cannot be used for
recognition of binary content.

21
Registration is one method of identifying content. It requires the identification of documents to be
protected, locating said documents, and registering them with Fidelis XPS.
22
Profiling is the preferred method of content recognition because it relies on a description of the
content rather than a copy of the content.

Fidelis XPS Guide to Creating Policies 116

Define Partial Content
To define this fingerprint:

1. Identify your sensitive documents that require protection.

2. Add a new Partial Content fingerprint and enter the general information about the fingerprint.
Refer to Add a Content Fingerprint and The General page for more information.

3. Click Save Changes. The Generate Fingerprint link appears.

4. Click to open a WinSCP session.

5. Create a folder on the CommandPost to store sensitive documents.

6. Transfer the documents that you want to register to the CommandPost.

7. Click Generate Fingerprint. This page appears with default values.

Figure 43. Partial content edit page

8. Select the data folder that contains the files copied to CommandPost in step 6. If more
documents are required, click to open a WinSCP session.

9. Keep the default values or change them.

Table 6. Partial Content: Generate Fingerprint

Description
Checkboxes and fields

Verbose Click to provide more detail in the result.

Ignore Case Click to make all comparisons case-insensitive.
Stemming Click to detect the stemmed version of words in network traffic – and
ignore prefixes and suffixes.
Window Length Provides the window size. Network traffic with this number of words,
matching the original content, increases the score by 1. If the total
number of matched windows exceeds the threshold, then the
fingerprint evaluates to true.
Skip Length Specifies the number of words to skip. By setting this to 1, the
scanner will skip one word from the start of the previous window, thus
creating all possible overlapping windows of words. By setting it to a
number equal to the window length, the scanner will create unique,
non-overlapping windows. High numbers lead to faster fingerprint
generation performance. Lower numbers lead to more exhaustive
fingerprints. This setting will have no impact on the sensor
performance when analyzing network traffic.
Ignore Words Less Than Provides a minimum word size to count. Words smaller than this

Fidelis XPS Guide to Creating Policies 117

 Description
Checkboxes and fields

number will be skipped in both the fingerprint creation process and

when matching against network traffic.
Ignore Words More Than Provides a maximum word size to count. Words larger than this
number will be skipped in both the fingerprint creation process and
when matching against network traffic.
10. Click Generate to create the fingerprint.
11. Click Save Changes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

12. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Exact Content Test Results.
13. If desired, remove the original documents from the CommandPost to maintain their security.

Partial Content Score

The score represents the number of windows detected within network traffic. The threshold
specified at the General page should be set accordingly.
For example, with a window size of 16, and a threshold of 10, at least 11 16-word windows
matching the original content, must be detected on the network to match the Partial Content
fingerprint.

Protocol Signature
For the majority of protocols, Fidelis XPS includes standard protocol decoders. Protocol Signature,
however, enables you to also match on protocols beyond the standard application protocols. For
example, you can detect protocols specific to your enterprise, or protocols that have just appeared
and which are not yet supported by an official Fidelis XPS release. Protocol Signature uses regular
expressions or YARA rules that match on a protocol's content.

Define Protocol Signature

Protocol Signature takes a list of regular expressions or YARA rules and compares them to data
extracted from network traffic. The fingerprint name becomes the protocol name listed in the Alert
23
Details page. An asterisk (*) is added to the protocol name to differentiate this protocol from the
standard protocols that ship with Fidelis XPS.
To define protocol signature:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General Page for more information.

2. Click Save Changes. The Contents link appears.

23
Alert Details is the most granular level for examining alert data.

Fidelis XPS Guide to Creating Policies 118

 Figure 44. Protocol Signature Edit page

3. Click Contents.
4. Select either Match All Unknown Protocols, or Define Protocols by Regular Expression or
Define Protocol by YARA Rule.
Note: You can use either a regular expression or a YARA rule in a Protocol
Signature fingerprint, you cannot use both in the same fingerprint.
If All Unknown Protocols is selected, this matches any detected unknown protocols. Click
Save Changes.
If Define Protocol by Regular Expression is selected, click Add regexp for text boxes to
display.

Enter your regular expressions into the text boxes. Use one or more regular expressions that
match on the client or server streams of the protocol. Several examples are provided below:
• To match the MySQL protocol, you can enter \x00\x00\x00\x03(?i)select\x20
as the first regular expression and the following as the second
regular expression: .\x00\x00.\xff..\x23..0{3}
 Enter git-upload-pack to detect operations of the git protocol.
Protocol Signature does not support the use of \U, \u, \L or \l. Refer to Regular Expressions in
Fidelis XPS.
Click Add regexp to add more expressions. Clicking Delete removes an expression.

For Define Protocol by YARA Rule:

Enter your YARA Rules into the text box. Use one or more YARA Rules that match on the
client or server streams of the protocol.
To match the MySQL protocol, you can enter:
rule MySQLRule
{
strings:
$hex_str = { 00000003 }
$text_string = "select" nocase
$hexstr2 = { 20 }
$hexstr3 = { ?? 00 00 FF ?? ?? 23 ?? ?? 00 00 00}
condition:
$hex_str and $text_str and $hexstr2 and $hexstr3
}
To detect operations of the git protocol, you can enter:
rule MyGitUploadRule
{

Fidelis XPS Guide to Creating Policies 119

 strings:
$text_string = "git-upload-pack"
condition:
$text_str
}
5. Click Save Changes. After every save, the YARA rule or regular expression syntax is verified
and any errors will not be saved. It is wise to save after adding each regular expression or
YARA rule.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Protocol Signature Score

The score of the Protocol Signature analyzer is the total score of all expressions or YARA rules
found in the transmitted data. Each expression has an implied value of 1. The total score must
exceed the threshold for the fingerprint to match.

Regular Expression
The regular expression analyzer is similar to the Keywords analyzer. Keyword matches are based
on an exact match of the user-provided keyword or key phrase, the Regular Expression match is
based on a regular expression.
If you require an exact match, the Keyword analyzer provides better performance than the Regular
Expression analyzer. Refer to Regular Expressions in Fidelis XPS for more information.
A Regular Expression fingerprint can be used to define a profile for the identification of digital
assets. Examples include sensitive project documents, source code, documents containing
watermarks, or classified documents. It can also be used to identify inappropriate language and
other violations of corporate network usage policies.
The uses are very similar to those for the Keyword fingerprint. Use a Regular Expression fingerprint
when Keywords are not sufficient.
One example to illustrate the difference is detection of a key phrase such as “top secret.” A
keyword fingerprint can be created with the phrase “top secret” and it will match this phrase in
many cases. However, a match will fail if the network traffic contains the words “top” and “secret”
separated by two spaces instead of one. A match will also fail if “top” and “secret” are separated by
a carriage return or a new line.
A regular expression, such as “top[\s]+secret” would match all such cases.
The fingerprint uses a scoring system where each expression is provided a weighted score, similar
to Keywords. Scores are used to determine the likelihood that the found content matches, or does
not match, your profile. Use positive numbers for expressions that are likely to match your profile.
Use negative scores for expressions that indicate that the transferred data is not part of the profile.

Define Regular Expressions

Regular Expression takes a list of regular expressions and compares them to data extracted from
network traffic. A score is assigned to each regular expression from the list. The score can be
either a positive or negative number. A regular expression can match more than once, up to a
specified limit. Each match adds or subtracts the assigned score to the total score. If the result
exceeds an assigned threshold, the fingerprint is matched.
To define regular expressions:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General Page for more information.

2. Click Save Changes. The Expressions link appears.

Fidelis XPS Guide to Creating Policies 120

 Figure 45. Regular Expression Edit page

3. Click Expressions. The Expressions page lists all regular expressions that are part of the
fingerprint.

4. Enter your regular expressions in the text boxes. Click Add regexp to add more expressions.
Clicking Delete removes an expression.
Regular Expression does not support the use of \U, \u, \L or \l. Use the following
expressions with caution because they will be treated as non-word characters: \B,\b, \D, \d,
\S, \s. \W, and \w
Each expression has the following attributes:

• The expression.

• The score is the value to apply to a total score when content is found that matches the
expression. The number may be positive or negative.

• Limit is the number of times the expression may be used to change the total score. Limits
can be set to reduce the influence of an expression that may occur many times in
transmitted messages and files.

5. Click Save Changes. After every save, regular expression syntax is verified and any errors
will not be saved. It is wise to save after each regular expression is added.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
6. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

Regular Expression Score

The score of the Regular Expression analyzer is the total score of all expressions found in the
transmitted data. Each expression has its own score as defined in the fingerprint. The result is a
weighted score of the analysis.
The total score must exceed the threshold for the fingerprint to match.

Fidelis XPS Guide to Creating Policies 121

URL Feed in Content
The goal of the URL Feed in Content analyzer is to catch malicious URLs on sending or receiving,
even before they are clicked. For example, this analyzer can find links in SMTP and webmail traffic,
then match against phishing feeds to determine if the email or webmail was a phishing email.
The URL Feed in Content analyzer identifies URLs in content using the prefixes: [Link] [Link]
and ftp:// at the end of the decoding process and matches these URLs against feeds specified in
the fingerprint.

Define URL Feed in Content

To define URL Feed in Content:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
2. Click Save Changes.
3. The Feed Source link appears.

Figure 46. URL in Feed Content: Feed Source

4. Select one or more feeds to assign it to this fingerprint. For each listed feed, feed name, the
number or URL records, provider, and description are displayed.
You can select any combination of feeds or select all feeds.
The feed listing includes all feeds that contain URLs. If the feed is not currently enabled, the
number of records will display Disabled. Refer to
5. Click Save Changes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Content URL Score

Each URL has a score of one. The score of the Content URL analyzer is the number of
unique URLs matched in the transmitted data. Even if the same URL appears more than once
in the content, it is matched, highlighted, and counted into the score only once.

Fidelis XPS Guide to Creating Policies 122

YARA Rules
YARA is a tool that can help to quickly identify and classify malware samples. Refer to
[Link] for a description of the syntax and usage.
The YARA fingerprint enables you to create descriptions of malware families based on text or
binary patterns contained in samples of those families. Each description consists of a set of strings
and Boolean expressions that determines its logic. YARA rules can run against undecoded or
decoded data.
Items to Note:

• If any YARA rule within a fingerprint hits, the fingerprint hits even if other rules within the
YARA fingerprint do not hit.
• If a YARA rule refers to another YARA rule, both must be in the same fingerprint.
• A YARA fingerprint that matches on too many rules or file formats can impede performance.
To define YARA Rules:

1. Enter general information about the fingerprint. Refer to Add a Content Fingerprint and The
General page for more information.
2. Click Save Changes. The Contents link appears.

Figure 47. YARA rules

3. Enter at least one YARA rule in the text box.

4. Select one or more file formats against which the YARA rules will be run.
5. Click Save Changes. Leading white space and blank lines are trimmed out after saving.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Fidelis XPS Guide to Creating Policies 123

 6. If desired, verify the fingerprint before deploying it. Refer to Test Content Fingerprints and
Test Results for Content Fingerprints.

Test Content Fingerprints

24
After defining a content fingerprint, you can verify it before deploying the fingerprint within a
25
rule .
To test, you must be using a computer with the Microsoft Windows Operating System and have
WinSCP installed. WinSCP is freeware available from [Link].
To test:

1. Go to the General, Test Fingerprint page, or another page specific to a fingerprint.

2. Click to open a WinSCP session. A WinSCP window opens and provides you access to
your home directory on CommandPost for file storage.
Note: You must have a local CommandPost account to use this feature.
3. Create a data folder using WinSCP or use an existing folder and copy the test files to the
folder.
Note: All test files must be placed in a folder. Do not place test files in the home
directory.
4. Refresh the CommandPost page to list any newly created folder.
5. Select the data folder containing sample data and click Test. A new window will open showing
the results of the test. Selecting verbose will increase the amount of result information. If there
is no match, clicking verbose will not provide more information.
When the Test button is pressed, the fingerprint is compared against these test files. This function
is useful to verify fingerprint expressions before they are deployed to real traffic. The test function is
not useful until the fingerprint has been defined by using the remaining tabs on the fingerprint edit
page.
Refer to Test Results for Content Fingerprints for an explanation of the results.

Test Results for Content Fingerprints

This section describes test results for Content fingerprints. Basic results are described first, then
verbose results. Any differences for specific Content fingerprints would display in the verbose test
results and are described in the Verbose Test Results section below. Objects smaller than 8 bytes
are not compared against Keyword and Keyword Sequence fingerprints. Objects smaller than 32
bytes are not compared against Regular Expression and Identity fingerprints.
To generate a fingerprint test, refer to Test Content Fingerprints.

Basic Test Results

The examples and text below illustrate basic test results. These are the results you see if the
Verbose option is not selected.
All test output follows the same format in non-verbose mode. In the example below, there is only
one file in the test directory, budget_zip.ZIP. The test tool will decode the file to all possible
resulting objects and test each. In this case, the ZIP file contained the following files:

• [Link] – a text file

• budget_2010.pdf – a PDF file

24
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).
25
Fidelis XPS uses rules to determine what are acceptable and unacceptable network data
transmissions. When an unacceptable network data transmission is detected, a rule determines
what action will be taken.

Fidelis XPS Guide to Creating Policies 124

 • budget_2010.docx – a MS-Word file

• Project [Link] – a MS-PowerPoint file. This file included three embedded jpeg files
([Link], [Link], and [Link]) as well as an embedded object which is a
MS-Word file.
------------------------------------------
NOTE: Analysis of Text files with unknown encoding depends on language configuration (System->CommandPost->Language
Config)

Simulating Analysis...

[SensitiveProjectData] - :file(budget_zip.ZIP):zip(budget_zip.ZIP) (0) (Binary): no match (0)

[SensitiveProjectData] + :file(budget_zip.ZIP):zip([Link]) (2942) (UTF8): match (22)

[SensitiveProjectData] + :file(budget_zip.ZIP):zip(budget_2010.pdf):pdf (3397) (UTF8): match (22)

[SensitiveProjectData] + :file(budget_zip.ZIP):zip(budget_2010.docx):ms-word (3256) (UTF8): match (22)

[SensitiveProjectData] + :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint (1078) (UTF8): match (22)

[SensitiveProjectData] - :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-image([Link]) (80663)

(Binary): no match (0)

[SensitiveProjectData] - :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-image([Link]) (37824)

(Binary): no match (0)

[SensitiveProjectData] - :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-image([Link]) (9184)

(Binary): no match (0)

[SensitiveProjectData] + :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-object([Link]):ms-word

(3256) (UTF8): match (22)

------------------------------------------
Table 7. Reading fingerprint test output
The table below examines the following line from our sample test results to describe each item
within the line.
[SensitiveProjectData] - :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-
image([Link]) (80663) (Binary): no match (0)
Data Sample output Description

Fingerprint [SensitiveProjectData] The name in brackets [SensitiveProjectData] is the

name name of the fingerprint being tested. The fingerprint
name is followed by a + if there was a fingerprint
match or a – if there was no match.
Decoding path Each decoded object is separated by a colon(:). The
example shows a decoding path of :file:zip:ms-
:file(budget_zip.ZIP):zi powerpoint:embedded-image with a file name shown
p(Project within parentheses at each step of the decoding.
[Link]):ms-
powerpoint:embedded- In this example, the ultimate result was [Link]
image([Link]) which is the subject for this test.

This output always starts with a colon and the term file
because it is a file-based test. On a live sensor, the
decoding path will start with protocol decoding. Refer
to the . the Overview in the User Guide.
Decoded (80663) The size in bytes of the decoded text is in
object size parentheses. This is not necessarily the size of the
original file, but the size of the extracted text.
Encoding (Binary)
Next is the detected character encoding (Binary) in
this case. The character encoding is an important
element in the output. If it can be detected, then the
decoded text is converted using the detected encoding

Fidelis XPS Guide to Creating Policies 125

Data Sample output Description

style and tested against the fingerprint. In the nine

tests for the SensitiveProjectData, the character
encoding was detected in each case, either Binary or
UTF8.

In the example below, character encoding could not be

detected. In this case, the test is attempted for each
character set that was selected at
System>Components>Console>Config>Language
Config.

[SensitiveProjectData] - :file([Link]) (1359) (iso88591): no

match (0)
[SensitiveProjectData] - :file([Link]) (1359) (iso88598): no
match (0)
[SensitiveProjectData] - :file([Link]) (1359) (cp862): no
match (0)
[SensitiveProjectData] - :file([Link]) (1359) (cp866): no
match (0)
[SensitiveProjectData] - :file([Link]) (1359) (cp1251): no
match (0)
[SensitiveProjectData] - :file([Link]) (1359) (cp1255): no
match (0)
[SensitiveProjectData] - :file([Link]) (1359) (mac_cyrillic):
no match (0)
[SensitiveProjectData] - :file([Link]) (1359) (mac_hebrew):
no match (0)
[SensitiveProjectData] - :file([Link]) (1359) (koi8r): no
match (0)
[SensitiveProjectData] - :file([Link]) (1359)
(iso_2022_jp_2004): no match (0)
[SensitiveProjectData] - :file([Link]) (1359) (euc_jis_2004):
no match (0)

When such a file is encountered, the extracted

characters are converted according to the tested
encoding. If a match is found, the test stops and the
file is marked as a match. If no match is found, the test
is repeated until all selected CommandPost character
sets are tested.
Results : no match(0) A colon : followed by the terms match or no match
indicates the test results.
The last item in the line is a number inside
parentheses. The number within parentheses is the
score of the analyzer, as described within the
description of score for each fingerprint type.

Fidelis XPS Guide to Creating Policies 126

Verbose Test Results
Verbose test results differ based on the type of fingerprint. Therefore, the sections below offer
descriptions and examples for each fingerprint type. The basic information remains the same as
described above. Verbose information is only available for positive match results with the exception
of Keyword List and Identity Profile which also report on negative match results.
Embedded Images
A match of an embedded image provides Positive Match Results Data including:

• bt refers to the binary test index of all embedded images. The number refers to an internal
index data structure within the analyzer and is not relevant to the results.
• Filename represents the name of the file that was registered.
------------------------------------------
CompanyLogo] - :file([Link]) (1192) (UTF8): no match (0)

[CompanyLogo] - :file(Project [Link]):ms-powerpoint (1078) (UTF8): no match (0)

[CompanyLogo] + :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (80663) (Binary): match (1)

++++++Positive Match Results Data++++++ for :file(Project [Link]):ms-powerpoint:embedded-image([Link])

Binary Test #2:

Original Filename: '[Link]'

[CompanyLogo] + :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (37824) (Binary): match (1)

++++++Positive Match Results Data++++++ for :file(Project [Link]):ms-powerpoint:embedded-image([Link])

Binary Test #4:

Original Filename: '[Link]'

[CompanyLogo] + :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (9184) (Binary): match (1)

++++++Positive Match Results Data++++++ for :file(Project [Link]):ms-powerpoint:embedded-image([Link])

Binary Test #0:

Original Filename: '[Link]'

[CompanyLogo] - :file(Project [Link]):ms-powerpoint:embedded-object([Link]):ms-word (3256) (UTF8): no match

(0)

------------------------------------------

Encrypted Files
A match of an encrypted file provides Positive Match Results Data including:

• Filename represents the name of the file that was tested.

• Type represents the file type.
------------------------------------------
[EncryptedFiles] + :file(budget_2010-[Link]):ms-office (26624) (Binary): match (1)

++++++Positive Match Results Data++++++ for :file(budget_2010-[Link]):ms-office

Encryption Test:

Type: 'application/msword'

------------------------------------------
Exact Content
For Exact Content, the original file represents the name of the registered file in the fingerprint that
was matched.
A match of an Exact Content file provides Positive Match Results Data including:

Fidelis XPS Guide to Creating Policies 127

 • Original File provides the name of the file that was registered within the Exact Content
fingerprint.
------------------------------------------
[Budget2010] + :file(budget_2010.docx):ms-word (3256) (UTF8): match (1)

++++++Positive Match Results Data++++++ for :file(budget_2010.docx):ms-word

Exact (MD5):

Original File: 'budget_2010.docx'

[Budget2010] + :file(budget_2010.pdf):pdf (3397) (UTF8): match (1)

++++++Positive Match Results Data++++++ for :file(budget_2010.pdf):

Exact (MD5):

Original File: 'budget_2010.pdf'

[Budget2010] - :file(customer_data.xlsx):ms-excel (28702) (UTF8): no match (0)

------------------------------------------

Filenames
A match of filename fingerprint provides Positive Match Results Data including:

• Match is an index to all filename regular expressions. The number refers to an internal index
data structure within the analyzer and is not relevant to the results.

• Filename refers to the file under test

• Expression provides the regular expression from the fingerprint that was matched.
------------------------------------------
[Budget-Filename] + :file(budget_2010.docx):ms-word (3256) (UTF8): match (1)

++++++Positive Match Results Data++++++ for :file(budget_2010.docx):ms-word

Filename #1:

Expression: '[B\b][U|u][D|d][G|g][E|e][T|t](.)*\.doc'

[Budget-Filename] + :file(budget_2010.pdf):pdf (3397) (UTF8): match (1)

++++++Positive Match Results Data++++++ for :file(budget_2010.pdf):

Filename #2:

Expression: '[B\b][U|u][D|d][G|g][E|e][T|t](.)*\.pdf'

[Budget-Filename] - :file(customer_data.xlsx):ms-excel (28702) (UTF8): no match (0)

------------------------------------------
File Signature
A match of a file signature fingerprint provides Positive Match Results Data information as written
into the File Signature fingerprint following MAGIC syntax. Refer to Define File Signature.
------------------------------------------
[JPEG] - :file(Project [Link]):ms-powerpoint (1078) (UTF8): no match (0)

[JPEG] + :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (80663) (Binary): match (1)

++++++Positive Match Results Data++++++ for :file(Project [Link]):ms-powerpoint:embedded-image([Link])

File Signature:

Type: 'JPEG image data, JFIF standard 1.02'

[JPEG] + :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (37824) (Binary): match (1)

++++++Positive Match Results Data++++++ for :file(Project [Link]):ms-powerpoint:embedded-image([Link])

File Signature:

Type: 'JPEG image data, JFIF standard 1.02'

[JPEG] + :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (9184) (Binary): match (1)

Fidelis XPS Guide to Creating Policies 128

++++++Positive Match Results Data++++++ for :file(Project [Link]):ms-powerpoint:embedded-image([Link])

File Signature:

Type: 'JPEG image data, JFIF standard 1.01'

[JPEG] - :file(Project [Link]):ms-powerpoint:embedded-object([Link]):ms-word (3256) (UTF8): no match (0)

------------------------------------------

Identity Profile
The test results of an Identity Profile fingerprint provide Positive Match Results Data for matches
and Negative Results Data for non matches when the pattern count analysis returns a value
greater than zero. Refer to Understand Identity Profile.

• For each fingerprint element (such as BankAcct, NatId, Name, or CreditCard) a total count is
displayed with a breakdown by strictness and by applicable customizations. For example,
consider the output line below for National ID:
NatlId: '30 [US/3]:10 [FR/11]:10 [GB/11]:10'

• National IDs were detected from three different available customizations: US (United
States Social Security Numbers), FR (French INSEE Codes), and GB (United Kingdom
National Insurance Numbers).
For most predefined patterns, the available customizations are represented by
country codes. The exception is Name, which refers to an available name file. Refer
to Add a Name File.

• The strictness value follows the customization code. In this example, ten matches were
found for US at strictness of 3. All matches for FR and GB were detected at strictness
level 11.

• The total count is represented by the first number following NatlID. In this example, the
total count is 30. This value depends upon the selections in the fingerprint. In this
example, the fingerprint must have included US, FR, GB and set a strictness of 3 or
lower, or the total would not have included all detected patterns.
Note: The individual patterns values such as US/3 are not influenced by the fingerprint.
Only the total count is influenced by the fingerprint.

• Now consider the same test file run against a fingerprint that selected only United States
Social Security Numbers at a strictness of 5:
NatlId: '0 [US/3]:10 [FR/11]:10 [GB/11]:10'

• Although patterns were detected in the test file, the total count is zero because none of the
patterns matched the fingerprint selections.

• Sensitivity and Low Pass Filter results are displayed as PASS or FAIL if the fingerprint has
enabled these checks.
------------------------------------------
[ni-iban] + :file(ni_iban) (607) (ascii): match (10)

++++++Positive Match Results Data++++++ for :file(ni_iban)

ni_iban:

BankAcct: '10 [BE/11]:1 [BA/11]:2 [CZ/11]:2 [DK/11]:1 [FI/11]:1 [LV/11]:1 [CH/11]:2'

NatlId: '30 [US/3]:10 [FR/11]:10 [GB/11]:10'

[name_email_addr] - :file(name_email_ccn.lpf) (12294) (ascii): no match (0)

------Negative Match Results Data------ for :file(name_email_ccn.lpf)

name_email_addr:

Name: '1007 [$UnitedStates/11]:1007'

e_mail: '3 [WW/11]:3'

Fidelis XPS Guide to Creating Policies 129

CreditCard: '4 [WW/4]:4'

Sensitivity: 'FAIL'

------------------------------------------
Keywords
A match of a keyword fingerprint provides Positive Match Results Data including:

• kw refers to an internal index data structure within the analyzer and is not relevant to the
results.

• Count provides the number of times this keyword was matched. This value will never exceed
the limit provided for this keyword in the fingerprint.
• Keyword provides the keyword that was matched.

• Results are provided in triplets, with each count and keyword relevant to the preceding kw
index.
------------------------------------------
[SensitiveProjectData] + :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint (1078) (UTF8): match (22)

++++++Positive Match Results Data++++++ for :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint

Keyword #1:

Count: '1'

Keyword: 'Venus'

Keyword #2:

Count: '1'

Keyword: 'Saturn'

Keyword #3:

Count: '3'

Keyword: 'Project'

Keyword #4:

Count: '1'

Keyword: 'Mercury'

Keyword #5:

Count: '1'

Keyword: 'Confidential'

[SensitiveProjectData] - :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-image([Link]) (80663)

(Binary): no match (0)

[SensitiveProjectData] - :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-image([Link]) (37824)

(Binary): no match (0)

[SensitiveProjectData] - :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-image([Link]) (9184)

(Binary): no match (0)

[SensitiveProjectData] + :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-object([Link]):ms-word

(3256) (UTF8): match (22)

++++++Positive Match Results Data++++++ for :file(budget_zip.ZIP):zip(Project [Link]):ms-powerpoint:embedded-

object([Link]):ms-word

Keyword #1:

Count: '1'

Keyword: 'Venus'

Keyword #2:

Count: '1'

Keyword: 'Saturn'

Keyword #3:

Fidelis XPS Guide to Creating Policies 130

Count: '3'

Keyword: 'Project'

Keyword #4:

Count: '1'

Keyword: 'Mercury'

Keyword #5:

Count: '1'

Keyword: 'Confidential'

------------------------------------------

Keyword List
A match of a keyword list fingerprint provides Positive Match Results Data for matches and
Negative Match Results for non-matches where the score is greater than zero. The results include:

• Keyword List refers to an internal index data structure within the analyzer and is not relevant
to the results.

• List is the name of the container file that contains keywords that were matched.
• Count provides the number of words that were matched. This number will never exceed the
limit expressed in the fingerprint. Note that the fingerprint limit of 0 is an unlimited count.

• Results are provided in triplets, with each List and Count relevant to the preceding Keyword
List index.
------------------------------------------
[KeywordList] - :file(Google Traduttore [Link]):mime:multipart[7]:mime:quoted-printable (122152) (UTF8): no match (0)

[KeywordList] - :file(Google Traduttore [Link]):mime:multipart[8]:mime:message (1805) (UTF8): no match (0)

[KeywordList] - :file(Google Traduttore [Link]):mime:multipart[9]:mime:quoted-printable:html (62) (UTF8): no match (0)

[KeywordList] + :file(Google Traduttore [Link]):mime:multipart[17]:mime:quoted-printable:html (23701) (UTF8): match (288)

++++++Positive Match Results Data++++++ for :file(Google Traduttore [Link]):mime:multipart[17]:mime:quoted-printable:html

Keyword List #0:

List: 'ItalianWords'

Count: '288'

[KeywordList] - :file(Google Traduttore [Link]):mime:multipart[3]:mime:multipart[2]:mime:quoted-printable:html (1091) (UTF8):

no match (2)

------Negative Match Results Data------ for :file(Google Traduttore [Link]):mime:multipart[3]:mime:multipart[2]:mime:quoted-

printable:html

Keyword List #0:

List: 'ItalianWords'

Count: '2'

[KeywordList] - :file(Google Traduttore [Link]):mime:multipart[3]:mime:multipart[1]:mime:quoted-printable:html (108) (UTF8):

no match (0)

------------------------------------------
Keyword Sequence
A match of a keyword fingerprint provides Positive Match Results Data including:

• kw refers to an internal index data structure within the analyzer and is not relevant to the
results.
• Count provides the number of times this keyword was matched. This should always be 1 for a
keyword sequence.
• Sequence provides the keyword that was matched.

Fidelis XPS Guide to Creating Policies 131

 • Results are provided in triplets, with each count and sequence relevant to the preceding kw
index.
------------------------------------------
[PatientForm] + :file(REGISTRATION [Link]):ms-word (2079) (UTF8): match (10)

++++++Positive Match Results Data++++++ for :file(REGISTRATION [Link]):ms-word

Keyword Sequence #0:

Count: '1'

Sequence: 'PATIENT INFORMATION'

Keyword Sequence #1:

Count: '1'

Sequence: 'Patient’s last name'

Keyword Sequence #2:

Count: '1'

Sequence: 'Is this your legal name'

Keyword Sequence #3:

Count: '1'

Sequence: 'Chose clinic because/Referred to clinic by'

Keyword Sequence #4:

Count: '1'

Sequence: 'INSURANCE INFORMATION'

Keyword Sequence #5:

Count: '1'

Sequence: 'I authorize my insurance benefits be paid directly to the physician'

[PatientForm] - :file([Link]) (2942) (UTF8): no match (0)

[PatientForm] - :file([Link]) (685) (UTF8): no match (0)

------------------------------------------
Partial Content
A match of a Partial Content fingerprint provides Positive Match Results Data from the Matched On
buffer. Each Matched On line represents one window in the registered Partial Content fingerprint.

• The score reflects the number of windows that were matched in the file. However, the number
of Matched On output lines includes only those that were necessary to cross the threshold. In
this example the threshold was five, so the output shows six windows. The score was 10
which means that four additional matches were detected, but these are not displayed
because the sixth was enough to trigger a match.
------------------------------------------
[Budget-Partial] + :file([Link]) (1192) (UTF8): match (10)

++++++Positive Match Results Data++++++ for :file([Link])

Partial Match:

Matched On: 'MIZE (240) 341 5818 556702774 $35000 ANGELA R FREE (301) 756 0988 224227630 $115771 DONNA J ELY
(301) 917 2712 064501483 $78707 JAMES M TEED (240) 783 447'

Matched On: 'DONNA J ELY (301) 917 2712 064501483 $78707 JAMES M TEED (240) 783 4476 611488720 $57759 JOE L
GRIFFIN (301) 497 4262 193609911 $35000 LINN J DAVIS (301) 337 964'

Matched On: '611488720 $57759 JOE L GRIFFIN (301) 497 4262 193609911 $35000 LINN J DAVIS (301) 337 9644
649017365 $123512 DARRELL C SHULTZ (301) 470 8111 132502543 $10177'

Matched On: '649017365 $123512 DARRELL C SHULTZ (301) 470 8111 132502543 $101771 LORI T DELOACH (703) 371
5189 083646516 $45371 ALBERT J WORTH (202) 916 9738 34303366'

Matched On: 'LORI T DELOACH (703) 371 5189 083646516 $45371 ALBERT J WORTH (202) 916 9738 343033668 $118396
ROBERT E FERRELL (301) 488 8495 342489053 $76353 ROBBI'

Fidelis XPS Guide to Creating Policies 132

Matched On: '118396 ROBERT E FERRELL (301) 488 8495 342489053 $76353 ROBBIE B COX (301) 286 2688 519596462
$78818 SAMUEL S BRADLEY (301) 758 0264 049073138 $111256 DIN'

[Budget-Partial] - :file(Project [Link]):ms-powerpoint (1078) (UTF8): no match (0)

[Budget-Partial] - :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (80663) (Binary): no match (0)

[Budget-Partial] - :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (37824) (Binary): no match (0)

[Budget-Partial] - :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (9184) (Binary): no match (0)

------------------------------------------
Regular Expression
For this fingerprint:

• Results are listed as Regex #0, Regex #1, etc. Each refers to a regular expression in the
fingerprint. The number refers to the order of the expression in the fingerprint, which is not
meaningful in any way except to differentiate the results.
• Count provides the number of times this expression was matched. This value will never
exceed the limit provided for this keyword in the fingerprint.
• Score provides the score attributed to this expression. This reflects the score of all matches.
• Regex provides the expression that was matched.
------------------------------------------
[SensitiveProjectRegex] + :file(Project [Link]):ms-powerpoint (1078) (UTF8): match (30)

++++++Positive Match Results Data++++++ for :file(Project [Link]):ms-powerpoint

Regex #0:

Count: '1'

Score: '10'

Regex: 'Company(\s)+Confidential'

Regex #2:

Count: '3'

Score: '12'

Regex: '[P|p]roject(\s)*[M|m]ercury'

Regex #3:

Count: '1'

Score: '4'

Regex: '[P|p]roject(\s)*[S|s]aturn'

Regex #4:

Count: '1'

Score: '4'

Regex: '[P|p]roject(\s)*[V|v]enus'

[SensitiveProjectRegex] - :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (80663) (Binary): no match (0)

[SensitiveProjectRegex] - :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (37824) (Binary): no match (0)

[SensitiveProjectRegex] - :file(Project [Link]):ms-powerpoint:embedded-image([Link]) (9184) (Binary): no match

(0)

------------------------------------------
URL Feed in Content
A match of a URL Feed in a Content fingerprint provides Positive Match Results Data from the
Matched On buffer. Each Matched On line represents a match between a feed and data found
within the test file.

• Feed provides the name of the feed that included the information that was matched.
• Attribute provides the attribute of the feed record that was matched.

Fidelis XPS Guide to Creating Policies 133

 • Value provides the value of the feed data found in the test file.
Note: Analysis of text files with unknown encoding depends on language configuration
specified at System>Components>Console>Language Config.

Fidelis XPS Guide to Creating Policies 134

Chapter 6 Fingerprint Macros
You can combine fingerprints into macros to make it easier to include two or more fingerprints into
rules. Instead of multiple fingerprints, you can use one macro in a rule.
When defining macros, keep the following in mind:

• AND, NOT, OR, and parentheses can be used to combine fingerprints.

For example, a combination might be used to define rogue SSH and HTTP channels (when a
user tries to circumvent network security) as:
(SSH AND NOT PortsSSH) OR (HTTP AND NOT PortsHTTP)
In this example, the macro combines Channel fingerprints SSH, PortsSSH, HTTP, and
PortsHTTP. The result is a channel macro definition for protocols found on TCP ports that are
not typically used for the intended protocol.

• Fingerprint names must match the spelling and case of the defined fingerprint exactly.

• By default, all fingerprints are combined by OR.

For example, the macro listed below would match either the SSH OR the HTTP fingerprint.
For readability, it is wise to explicitly include the OR in macros.
(SSH HTTP)
Note: The logical words OR, AND, and NOT are capitalized here for emphasis. Fidelis
XPS does not require these words to be capitalized.

Define a Fingerprint Macro

You can define a location, channel, or content macro for your enterprise by editing an existing
macro or by creating a new one.
Note: The icon next to the macro displays whether the macro is used within a rule. You
cannot change the name or delete macros that are in use.
To define a macro:

1. Click Policies.

2. Click Locations, Channels, or Content. The selected fingerprint page displays.

3. Click Macros at the top of the page.

4. Click Add Macro. The New Macro page appears.

or
Click the appropriate macro and click Edit. The edit page appears for the selected macro.

Fidelis XPS Guide to Creating Policies 135

 Figure 48. Defining Macros

5. Enter a macro name.

6. Create the Expression by typing in the Expression box or using the Selection box. The
process is identical to creating a rule expression.
Refer to Create an Expression .

7. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.

Copy a Fingerprint Macro

You can copy an existing fingerprint macro, save it under a new name, and edit as needed. The
new macro includes all properties from the original, except for the date properties, which will reflect
the time and user name that created the copy. The new copy will not be included in any rule. You
can copy each fingerprint macro multiple times, as long as it is saved under a unique name.
To copy a fingerprint:

1. Click Policies.
2. Click Locations, Channels, or Content. The selected fingerprint page displays.
3. Click Macros at the top of the page.
4. Open the row of the fingerprint macro you wish to Copy.
5. Click Copy. The Copy dialog box displays.
6. Enter a new name in the Save As text box or keep the default name.
7. Click Save.
8. Click Edit to make any needed changes to the new macro.
9. Assign the new fingerprint macro to rules as needed.

Delete a Fingerprint Macro

Deleting a macro depends on the status of the , refer to Policy Versions.
To delete a macro:

1. Click Policies.

2. Click Locations, Channels, or Content.

3. Click Macros at the top of the page.

4. Click the appropriate macro and click Delete.

Fidelis XPS Guide to Creating Policies 136

5. Click OK at the confirmation dialog box.
The fingerprint macro is removed from Fidelis XPS.
If you have a hierarchical environment:
From a Master CommandPost, you can use the Global Delete option to delete a policy
or policy components (fingerprints, rules. and macros).
Click Delete and you will be provided with an option to delete locally (only on the
Master CommandPost) or to delete globally (Master CommandPost and all
Subordinates).
Note: On the Subordinate, the policy will be deleted only if it is not assigned to any
sensor (default criteria applicable for deletions). The rule will be deleted if it isn’t
assigned to any policy, fingerprint and macros will be deleted if not assigned to any
rule.

Fidelis XPS Guide to Creating Policies 137

Chapter 7 Rules
Fidelis XPS uses rules to determine what are acceptable and unacceptable network data
transmissions. A rule can be stated as the following:
Generate ACTION if CONTENT is detected over CHANNEL coming from (or to) LOCATION.
Or as:
Generate ACTION if EXPRESSION
A rule must be assigned to a policy. A policy, in turn, must be assigned to a sensor.

Rule Components
A rule includes the following components:

• Rule Name is the user-given name of the rule.

• Expression is the criteria for violation analysis. Each expression is a logical combination of
one or more fingerprints.

• Summary is a user-created alert summary to display as part of the alert information created
when a rule is violated. You can include keywords in your summary. Keywords are text
surrounded by percent signs used by Fidelis XPS to extract alert details.

• Severity is a user-defined measure of the severity of an alert.

• Action includes valid combinations of alert, prevent, throttle, quarantine, or reroute. The
action may include or exclude Forensics and Packet Capture files.

• Alert Management Group allows you to select a group of CommandPost Users to manage
alerts or quarantined email messages generated by this rule. Refer to chapter 3 in the User
Guidefor more information.

• Email Handling includes the options Notify Sender Message, Append Message, X-header ,
and Enable Quarantine User Self-Management.. Email Handling only applies to the Mail
sensor. These options will be ignored if the rule is assigned to a different type of sensor.

Rules Pages
Rules pages can be sorted by any column on a page in either ascending or descending
order.
To do this:
Click the column header to sort by that column.

The or icons display when a column has been sorted. You can only sort by one column at
a time.

You can also elect to show or hide unused rules. Unused rules are indicated by a icon next
to the component name.

The indicates the current show or hide status. The default is to show all rules.

Click to hide or to show unused rules.

Fidelis XPS Guide to Creating Policies 138

 The indicates the current show or hide status of policy, rule, fingerprint, or
fingerprint macro versions. The default is to hide versions. Refer to Policy Versions for more
information.

Access Rules
To access rules:
Click Policies>Rules.

Figure 49. The Rules page

The Rules page contains a list of all defined rules. When accessed for the first time, the list will be
empty. To enable automated policy downloads, refer to Insight>Policy Feed.
Click on a row, or click expand all to reveal information associated with a rule. The policies that use
the rule, the alert management group associated with the rule, and the rule expression display.
Policies, group names, and fingerprints can be clicked to access the associated edit pages. When
you expand the row associated with any Rule authored by General Dynamics Fidelis Cybersecurity
Solutions Systems, you will be presented with the opportunity to gain more information about the
rule. Clicking the Insight Threat Intelligence link will connect you to the Fidelis web site and will
display details about the rule. Fidelis rules include those associated with the Fidelis Policy Feed.
If a rule has been used within a policy that is assigned to a sensor, it is in use as indicated by the
icon.

Rules and the Fidelis Policy Feed

Indicates a Fidelis rule. This rule was created by Fidelis and either downloaded by a selection
at Policies>Insight>Policy Feed or imported by a policy pack downloaded from the Fidelis Support
Portal. You can make changes to all aspects of a Fidelis rule, such as changing the severity or the
alert management group. After saving changes, you will have a new version of this rule but it will
remain a Fidelis rule. All versions receive Fidelis feed updates. All versions receive Fidelis Policy

Fidelis XPS Guide to Creating Policies 139

 feed updates. If you modify the expression by adding a user expression, the rule becomes a Fidelis
modified rule.

Indicates a Fidelis modified rule. This rule was created by Fidelis and contains an expression
modified locally. The User Expression defines the local modification. This Fidelis expression of this
rule receives Fidelis Policy feed updates. User expressions are typically used to tune the rule by
adding whitelist or exception cases to the rule logic.

Indicates a user-edited version of a Fidelis rule. This class of rule cannot be created after
version 8.0. However, if a rule expression was modified in a previous version, after updating to
version 8.0, a user-edited unsynced rule is seen. This rule contains a user expression. The original
Fidelis expression will not receive updates from the Fidelis Policy feeds. To receive Fidelis feed
updates, you need to edit the rule and sync it.

Click at the Rules>Edit page to view the current Fidelis expression. Modify the
user expression to achieve a combined expression that meets your needs. After saving your
changes, the rule becomes a Fidelis modified rule . The Fidelis Modified rule will receive future
updates to the Fidelis expression from the Fidelis Policy feed.

Idicates a user-created rule. A user-created rule is completely custom and is not controlled in
any way by the Fidelis Policy feed.

Define a Rule
To define a rule:

1. Click Add Rule. The New Rule page appears with blank fields.
or
Click the appropriate rule and click Edit Rule. The edit page appears for the selected rule. If
you edit a rule that was delivered by the Fidelis Insight Policy feed, you will see a Fidelis
Expression and a User Expression.

Fidelis XPS Guide to Creating Policies 140

 Figure 50. The Create New Rule page

2. Enter a name and comment for this rule. Names are required and must contain valid
characters (alphanumeric plus dash and underscore).Comments are optional and may
contain any character including spaces.
3. Enter rule information.
a. Select severity: either low, medium, high, or critical. When the rule is violated the
26
severity displays on the Radar and in Alerts .
b. Select the action that results when the rule is violated. Decide whether to collect
Forensics with the alert. Refer to Select a Rule Action for more information.
c. Select the Capture Packets option, if desired for this rule. Choose whether to capture:
client or server (all packets going to or from the two IP addresses in the alert)
only packets involving the client
only packets involving the server
client and server (only packets between the two IP addresses).
Refer to chapter 4 in the User Guide.
d. Select an alert management group to associate with the rule. Refer to chapter 11 in
the User Guide.
4. Create a rule expression.

26
An alert is the recorded and displayed incidence of at least one event. Alerts are generated only if
the alert action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.

Fidelis XPS Guide to Creating Policies 141

 Rule expressions are a logical combination of Content, Channel, and Location fingerprints.
The expression can be a simple instance of one fingerprint, or it may be a complex
expression using AND, OR, and NOT logic statements. Refer to Create a Rule Expression for
more information.

5. Create a summary.
When a rule is violated, this summary will be stored as part of the alert information (if an alert
27
action is taken) and will be available on the Alert List page. Refer to Create an Alert
Summary for more information.

6. If this rule is intended for a Mail sensor:

• Select Notify Sender, Append Message, X-Header, or Enable Quarantine User Self-
Management as needed.
• Select a Quarantine Expiration Action if needed. This option is only available if alert and
quarantine is chosen as the action.
Refer to Email Handling in the section Select a Rule Action for more information.

7. Click Save Changes.

You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
Changes to a rule that has been previously assigned and downloaded to a sensor will have no
effect until the sensor is updated. Refer to Update a Sensor for more information.
If you added a new rule, it displays in the Rules page. To make a new rule active, assign it to a
policy.

Create an Expression
Rule expressions are logical combinations of content, channel, and location fingerprints or macros.
An expression can be a simple instance of one fingerprint, or it may be a complex expression using
AND, OR, and NOT logic statements using parentheses for logical grouping.
A general rule statement is:
Generate ACTION if CONTENT is detected over CHANNEL coming from (or to) LOCATION.
For example, a specific rule could state:
Generate ALERT if CreditCardNumber is detected over any channel other than
AuthorizedCredCardChannel coming from any Location other than AuthorizedCreditCardSender.

Figure 51. Rule expressions

27
An Alert List is created from all alerts available within your assigned groups and sensors. The List
can be greatly customized by choosing the columns to display, selecting specified criteria, and by
choosing to display the results in a chart or as a table.

Fidelis XPS Guide to Creating Policies 142

T o cr e at e a r ul e e x pr e ssi o n f or a c u st om r ul e:
28
1. Type the name of a fingerprint in the expression box. As you type, the suggestion box will
change, displaying a list of applicable fingerprints, fingerprint macros, and logic elements
(AND, NOT, and OR). Parentheses must be typed. You may complete your fingerprint by:

• Typing the full name

• Selecting the fingerprint from the list using a mouse click.
• Use arrow keys to scroll through the list and press Enter to select a fingerprint or a
fingerprint macro.
After completing the fingerprint, the list of suggestions will reset to the complete list of all
available fingerprints, macros, and logic elements. Continued typing will change the
suggestions accordingly.

2. Continue to enter your expression using fingerprints, macros, and logic elements. Insert
parentheses as necessary. A complete logic expression may look like the following

CreditCardNumber AND NOT (AuthorizedCreditCardChannel AND

AuthorizedCreditCardSender)
By default, all fingerprints are combined with an OR. If this is the desired effect, or if your
expression contains only one fingerprint, you may omit all logic elements. However, it is good
practice to include OR within the text, even when not required.
The use of NOT in the expression is a way to white list specified fingerprints within the rule. White
listing identifies data transfers that are legitimate business transactions which should not be rule
violations. An alternative is to whitelist within the policy. Refer to Policy Operations. Also refer to the
Whitelist rule action, which may be a more manageable method to create and use whitelists.
Note: The combination of AND, OR and NOT within an expression may create an
ambiguous evaluation. In these cases, parentheses must be used to clarify the order of
operations.

T o m o di f y a r ul e e x pr e ssi o n i n a F i d e l i s r ul e:

A Fidelis rule is identified by the icon on the Rules list page. When a Fidelis rule is edited, you
will notice a Fidelis expression and a user expression.

Figure 52. Rules: Fidelis and user expressions

The Fidelis expression is provided by the Fidelis Insight Policy feed. If there are updates to this rule
in the feed, the Fidelis expression will be modified. The Last Modified date associated with the
Fidelis expression will represent the date of the last change. The Fidelis expression cannot be
modified.

28
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).

Fidelis XPS Guide to Creating Policies 143

The user expression can be used to modify the rule expression. On the sensor, the Fidelis and
User expressions are logically combined with an AND. To enter a user expression, follow the same
steps as described for the custom rule expression.

If the user expression remains empty, the rule will continue to be listed as a Fidelis rule with the
icon on the rules list page.

If the user expression is not empty, the rule will be identified as a Fidelis Modified Rule. The
icon will be shown on the rules list page.
On the rules list page, the Last Modified date for a Fidelis Modifed Rule will reflect the most recent
time considering user changes and Fidelis policy feed changes.

U nsy n c e d R u l es
Before Fidelis XPS 8.0. the Insight Policy Feed would only update version 0 of any rule. If newer
versions were created for any reason (for example, a change to alert management group, change
to action, change to the expression) then the Fidelis Insight Policy Feed changes would not be
applied to the rule.
When you upgrade to version 8.0, a Fidelis rule where the expression differs from the most recent
Fidelis Policy Feed, is marked as an unsynced rule. This rule is perfectly valid and can continue to
be used, however, any updates to the Policy Feed will not be applied.

Figure 53. Rules: Updated Fidelis and User expressions

When you edit an unsyced rule, you will notice the indication that the rule is not updated by the
Policy Feed. You may decide that your rule is working perfectly fine for your environment and
continue to use the rule. However, if you wish to receive updates from the Policy Feed, you should:

• Click the Sync button.

• The most recent Fidelis expression will appear.
• Edit (or remove) the user expression to create the logic that suits your requirements for the
rule
• Click Save Changes.
After save, the rule will appear as either a Fidelis rule (if the user expression was erased
completely) or a Fidelis Modified Rule if part of the user expression was preserved.

Create an Alert Summary

The alert summary is a combination of text to be included for every alert plus specific details of the
data transmission that caused the alert. The text included with percent signs (%) is a specific
29
keyword used by Fidelis XPS to extract alert details . Using these keywords is optional.
For example, consider a rule that would generate an alert if HIPAA content was detected in a
webmail message. For this rule, consider a summary such as:
HIPAA from: %FROM% to: %TO%

29
Alert Details is the most granular level for examining alert data.

Fidelis XPS Guide to Creating Policies 144

For any violation of this rule, the %FROM% would be replaced by the sender of the webmail and
the %TO% would be replaced by the recipient. The rest of the summary would include the text as
written. An example might be:
HIPAA from: joe@[Link] to: sue@[Link]
If the violation occurred over a protocol where FROM and TO attributes were not extracted, the
values would be replaced by question marks. For example, consider HIPAA information posted to a
web site. In that case the summary would be:
HIPAA from: ? to: ?
Note: The total limit for the alert summary message is 100 characters. Alert summaries
that exceed this limit are truncated.
To create a summary:

1. Type the desired text into the Summary text box.

2. Enter keywords, as needed. Select from the Select Keyword list.
Table 8. Rule summary keywords

Description
Keyword

%SRCIP% Source IP address refers to the source of the data.

%SRCPORT% Source port refers to the port associated with the source of
the data.
%DSTIP% Destination IP address refers to the destination of the data.
%DSTPORT% Destination port refers to the port associated with the
destination of the data.
%CLIENTIP% Client IP address refers to the workstation that initiated the
TCP session.
%CLIENTPORT% Client port refers to the port associated with the workstation
that initiated the TCP session.
%SERVERIP% Server IP address refers to the recipient of the TCP session
initiation.
%SERVERPORT% Server port refers to the port associated with the recipient of
the TCP initiation.
%FIRSTHIT% The first hit in the extracted forensic data buffer from all
fingerprints that hit.

%<fp-name>:FIRSTHIT% The first hit in the extracted forensic data buffer for the
specified fingerprint.
%PROTO% Protocol
%USER% The login name of the user. Applies to transmission protocols
that require a login or user name, such as FTP, Instant
Messenger, Telnet, as well as protocols such as email that
identify the user.
%FILENAME% Name of the file being transmitted
%FROM% The From extracted from an email or webmail.
%TO% The To extracted from an email or webmail.
%SUBJECT% email subject line
%SENSOR% The name of the sensor that detected the violation.

Fidelis XPS Guide to Creating Policies 145

 Description
Keyword

%RULE% The name of the rule that was violated.

%POLICY% The name of the policy that was violated.
%TOTALHITS% The maximum of total hits in the extracted forensic data from
all fingerprints that hit.

%<fp-name>:TOTALHITS% The total of all hits of fingerprint matches in the extracted

forensic data buffer for the specified fingerprint.

Using TOTALHITS will delay the generation of an alert until

the session ends. Therefore, prevention will not be possible
for a rule that uses either form of TOTALHITS in the
summary.
3. Click Add Keyword. Keywords will be inserted at the end of the summary, but may be
manually moved to the appropriate place in the edit box.
If you select %<>:FIRSTHIT% or %<>:TOTALHITS%, you will need to manually type the
name of the fingerprint within the <> brackets. Be sure to type the name exactly as it appears
in the Expression
Note: Some keywords do not apply to all alerts. From example, a summary that
includes %FILENAME% may be generated for an alert that contained no file transfer. In
these cases, the keyword is replaced by a question mark (?) in the alert summary.

Select a Rule Action

When a rule is violated, Fidelis XPS will take the chosen action. To define an action, select from the
choices in the Action drop down list.

Primary Rule Actions

When a rule violation is detected, the Fidelis XPS sensor will react by performing the action
specified in the rule. Alert may be the only action taken or can be combined with one other primary
action. All other actions in this section are mutually exclusive.

A l e rt
Alert is the only primary action that can be combined with other primary actions. When an alert
action is taken, alert information is collected by the sensor and sent to CommandPost for storage.
The alert data is first encrypted and held in a temporary spool file on the sensor disk.
Communication to CommandPost is performed over an encrypted channel.
Alert information and forensic data is created and sent to CommandPost immediately following the
detection of a rule violation. The sensor will continue to record the session and analyze it for other
rule violations. When the session is complete, the recorded session data is sent to CommandPost.
Depending on the network protocol, the recorded session may arrive at CommandPost several
minutes after the alert data. A recorded session refers to network data captured by Fidelis XPS
Direct and Internal sensors. Fidelis XPS Mail and Web sensors operate on objects and refer to the
recorded object. The object for Fidelis XPS Mail is an email message, including all attachments.
The object for Fidelis XPS Web is the ICAP message received from a third party proxy.
Note: Recorded session data and objects will not be available if the rule action
included Prevent. In this case, the session is not recorded and no session data is sent
to CommandPost. Similarly, if a rule disables Capture Forensics, all alerts generated
by any rule on the violating network session, will lack a recorded session or object.
Alert information is available at the CommandPost and is accessible at the Alerts page. At this
page, you can filter which alerts display, search for specific alert attributes, and research details
about alerts. Refer to Understand and Manage Alerts. Information about each alert is available at
Alert Details.

Fidelis XPS Guide to Creating Policies 146

Refer to chapter 4 of the User Guide.

Pr ev e nt
Prevent prevents the data transmission and takes action depending on the sensor type and how
the sensor is configured.
For a Direct or Internal sensor, the Prevent action is determined by how the sensor is configured:

• In out-of-band mode with TCP Reset enabled: the sensor issues TCP reset packets to kill
the session. If TCP Reset is disabled: the prevent action has no effect. UDP sessions
cannot be prevented and no action is taken.
• In inline mode the sensor drops all incoming packets for the remainder of the TCP session.
If TCP Resets are enabled, the sensor will also issue reset packets to the appropriate
endpoint to more efficiently terminate the session. UDP sessions can be prevented when
inline for certain rules. For Direct and Internal sensors, prevention cannot be guaranteed.
Refer to Considerations for Prevention.
For a Web sensor, the end user is redirected to the provided URL. If no URL is provided, the user
will receive an HTTP Error 403 message. Details about these actions are carried out by the third
party proxy in your network.
For a Mail sensor, the email message will not be accepted. This will cause the sending Mail
Transfer Agent (MTA) to notify the email sender that the message was not delivered. This
notification is delivered by the enterprise email environment, not by Fidelis XPS sensors. For a
more user-friendly approach to email, consider the Quarantine action instead of Prevent.

Fl a g H os t
Fidelis XPS sensors can flag IP addresses for future reference. Whenever Malware is detected, the
IP address of the host is flagged by the Malware Detection Engine. The policy writer can also flag
hosts as the result of any rule violation.
A flagged host can be used in a Location fingerprint to identify IP Addresses that have previously
received malware or violated a rule that flagged the host. Flagged host fingerprints can be used in
other rules to provide context to suspicious network activity.
Refer to Define Flagged Host.

T ag M et a d at a
Fidelis XPS sensors generate metadata for every network transaction, which is sent to a Fidelis
XPS Collector for storage and analysis. Metadata includes a tag, which is the name of the rule that
was violated by the network transaction. Tags are included with metadata for any rule that was
violated regardless of the action.
If you choose the action as tag metadata, the rule name will be included with metadata, but no
other action will be performed by the Fidelis XPS sensor. Therefore, no alert will be generated.
For details about the power of metadata tags, refer to chapter 7 in the User Guide.

T hr ot tl e
Throttle offers the ability to reduce the network bandwidth by identifying applications (such as peer-
to-peer or instant messenger) that may be allowed on the network. Throttle enables you to control
their use and bandwidth by throttling activity to an acceptable level. Throttle is implemented by
randomly dropping packets and manipulating TCP window sizes of offending sessions until the
prescribed bandwidth is reached.
Throttle is only available for Fidelis XPS Direct and Internal sensors in inline mode. Out of band
Direct and Internal sensors, as well as Fidelis XPS Mail and Web sensors, will ignore the throttle
action.

Fidelis XPS Guide to Creating Policies 147

Q u ar a nt i n e
Email is quarantined by a Fidelis XPS Mail sensor when it violates a rule that specifies the action of
quarantine. Quarantined email resides on the Mail queue of the sensor until a quarantine manager
or the sender of the quarantined email take action or until the email expires.
The Mail sensor operates on email messages. Because of the nature of email, the Mail sensor can
analyze an entire email at once, and take action if policy violations are found. Other sensors
operate on data in real time and may create multiple alerts with different actions based on the
violated rules. A Mail sensor will take one action on the message, even in the case where multiple
rules are violated with different actions.
Quarantine is only available on Fidelis XPS Mail sensors. All other sensor types will ignore this
action.
Refer to chapter 5 in the User Guide.

R e ro u t e
The Fidelis XPS Mail sensor reroutes an offending email message by adjusting the To field of the
message. The downstream mail server configured in the sensor’s configuration settings will take
the rerouting action. Reroute is only available on Fidelis XPS Mail sensors. All other sensor types
will ignore this action.
Refer to chapter 5 in the User Guide for more information.

R e m ov e A tt a c h m e nt s
The Fidelis XPS Mail sensor will remove all attachments from the offending email message. A
single text file will be added to the message that provides a message to state that attachments
were removed.
Remove Attachments is only available on Fidelis XPS Mail sensors. All other sensor types will
ignore this action.

MD E Fi l t er e d
The MDE Filtered action can be used to direct objects to the Malware Detection Engine for
analysis. By default, the MDE will automatically analyze all object types that are known to be
malware vectors(including Executables, PDF and Office files that may contain embedded scripts)
and will generate an alert when an object is determined to be malicious.
In some environments, the automatic malware policy may generate too many alerts. There are
typically two reasons for this result:

• Known and acceptable malware transfers on the network. This may include a collection of
samples on the network to or from known hosts or servers, known users on the network that
collaborate on malware samples, known network paths where malware detection is
performed downstream. In these cases, the Malware Exception action should be used. See
below.
• Malware detection that is not relevant to your organization. Because the MDE is operating
on a large variety of files, it may generate alerts on objects that may be blocked by
downstream network appliances. To address this concern, the policy writer can create rules
with the action of MDE Filtered. Any object that meets the rule criteria will be sent to MDE
for analysis. An alert will be generated only if the object is determined to be malicious. If you
choose to write these rules, visit System>Malware>Malware Detection and disable
automatic Malware Policy. This places MDE detection exclusively under the control of the
policy author.
Using the MDE Filtered action is not recommended. Use of Malware Exception rules is highly
recommended if there is a need to omit certain transactions from analysis.

Fidelis XPS Guide to Creating Policies 148

W hi t el i st
A rule with the whitelist action provides an exception to every rule within the policy to which it is
assigned. Consider an example where specified senders and receivers are permitted to transfer
credit card data for legitimate business reasons. You could create a rule that generated an action
for only illegitimate reasons by writing a rule expression such as:
Credit_cards AND NOT (business_sender AND business_receiver)
Now suppose that the exception of business_sender and business_receiver should be applied to
many rules. You can write all of your rules in this fashion or you can create a single rule with the
whitelist action. For the example above, the whitelist rule action would be:
business_sender AND business_receiver
By adding this rule to the policy that included the rule for credit card detection the same effect
would be carried out by the Fidelis XPS sensor.
Use of a whitelist rule can reduce the effort of the policy writer to tune and modify rules when
exceptions are required.

M al w ar e E x c e pt i o n
By default, all objects known to be malware vectors are sent to the Malware Detection Engine for
malware analysis. You may have a need to create exceptions based on the IP addresses or other
attributes involved in the transactions. In these cases, create a rule that uses the Malware
Exception action.
Malware Exception rules should only use Location and Channel fingerprints in the rule expression.
The rule operates by marking the entire session as one to bypass malware detection. Because all
objects are sent to MDE for analysis, this rule must fire before the MDE analysis begins.
Refer to the discussion about Timing Considerations in the Fidelis XPS Policy Overview.

Secondary Rule Actions

When a rule is violated the Fidelis XPS sensor will react by performing the action specified in the
rule. Several other actions may also be configured within the rule.

C a pt u r e F or e ns i cs
After an alert is generated, the Fidelis XPS sensor will continue to record the session until the
session completes or when the maximum configured size is reached. The recorded session is sent
to the CommandPost and stored with the alert. The maximum size is configured at the sensor.
It is possible to disable the session capture by rule. The typical use case for disabling forensics is
when the storage of sensitive or classified data would decommission CommandPost. Before
disabling the capture of forensics, you should understand the ramifications:

• Session capture will not be available for any alert on the same session. Therefore, alerts for
other rules, that enable forensics, may still lack forensics.
Consider three rules, Rule 1, Rule 2, and Rule 3. Rule 1 fires first and generates an alert;.
Rule 2 later generates another alert on the same session and disables forensics; and Rule
3 later generates an alert on the same session. All three alerts will lack a recorded session
even though only one rule disabled forensics. Alerts for Rule 2 and Rule 3 will include no-
forensics in the action. However, Rule 1, which fired first, will lack a recorded session and
will not include a reason.

• PCAP will not be performed for any session marked for no-forensics.
• The Alert details page provides a clickable decoding path allowing you to retrieve all objects
from the path. If the session was not recorded, the decoding path will not be clickable.
By default, all rules enable Capture Forensics. The reasons to disable this capture are very rare.
Fidelis highly recommends that you enable forensics for every rule, unless you have a use case

Fidelis XPS Guide to Creating Policies 149

that warrants the loss of forensic data (for example, capture of classified documents on
CommandPost would decommission CommandPost until the disk is wiped).

C a pt u r e Pa c k e ts
Packets can be captured to a PCAP file. If the action did not include “Alert”, this setting is not
possible. The PCAP will include all packets from the client and/or server for up to ten seconds
before and after the session that caused the alert. If “client and server” is selected, only packets
between the client and server will be recorded.
PCAP files can be quite large. Excessive use may impact how quickly alert data fills the
CommandPost disk and may impact your alert retention.
Note that metadata for all network activity is recorded if you have Fidelis XPS
Collector.

Em ai l H a n dl i n g
Fidelis XPS Mail can take specific actions on email messages based on the rule.

• Notify Sender: Define the body of an email message to deliver to the sender of the violating
email.
• Append Message: Append a message to the body of an email before forwarding it.
• X-header: Append an X-header to the header of the email before forwarding it.
Enable Quarantine User Self-Management: Enable users to manage their quarantined email.
If these actions are detected in a rule by any other sensor type, they are ignored.
Refer to chapter 5 in the User Guide.

Fidelis XPS Guide to Creating Policies 150

Copy a Rule
You can copy an existing rule, save it under a new name, and edit as needed. The new rule
includes all properties from the original, except for the date properties, which will reflect the time
and user name that created the copy. The new copy will not be included in any [Link] can copy
each rule multiple times, as long as it is saved under a unique name.
To copy a rule:

1. Click Policies>Rules.
2. Open the row of the rule you wish to Copy.
3. Click Copy. The Copy dialog box displays.
4. Enter a new name in the Save As text box or keep the default name.
5. Click Save.
6. Click Edit to make any needed changes to the new rule.
7. Assign the new rule to policies as needed.

Export a Rule
If you have Full Policy permissions, you may export a single Rule:

1. Click Policies>Rules.
2. Click the row of the rule you wish to export.
3. Click Export Rule.
A compressed tar file with a .tgz extension will be created and transferred to your browser. Your
browser may offer several options based on your browser settings, which may allow you to open or
save the file. If you are not offered these choices, check your browser settings for handling of .tgz
files.
This file will contain the exported rule and all associated fingerprints and macros.
You can now import this rule back to your CommandPost or to another location. Refer to Import.

Delete a Rule
Deleting a rule depends on the status of the , refer to Policy Versions.
To delete a rule:

1. Click Policies>Rules.

2. Click the appropriate rule.

3. Click Delete Rule.
4. Click OK at the confirmation dialog box. The deleted rule is removed from the Rules page.
If you have a hierarchical environment:
From a Master CommandPost, you can use the Global Delete option to delete a policy
or policy components (fingerprints, rules. and macros).
Click Delete and you will be provided with an option to delete locally (only on the
Master CommandPost) or to delete globally (Master CommandPost and all
Subordinates).
Note: On the Subordinate, the policy will be deleted only if it is not assigned to any
sensor (default criteria applicable for deletions). The rule will be deleted if it isn’t
assigned to any policy, fingerprint and macros will be deleted if not assigned to any
rule.

Fidelis XPS Guide to Creating Policies 151

Chapter 8 Policies
A policy is a set of rules to be enforced by a Fidelis XPS sensor. Policies can be assigned to one or
more sensors. A sensor can use multiple policies and might use different policies than other
sensors registered to the same CommandPost.
To access Policies:
Click Policies>Policies.

Figure 54. Policies information

The Policies page shows a list of all defined policies. When accessed for the first time, the list will
be empty. To enable automated policy downloads, refer to Insight>Policy Feed.

Policy Operations
To view the list of rules in a policy, click the policy name. Each rule will be listed in addition to the
severity and the action taken by the rule. Each rule works independently on the sensor and
performs the defined action when the sensor identifies a violation. However, sensor actions can be
suppressed by any rule with the Whitelist action. If the sensor detects network traffic that matches
the whitelist, no action will be taken for any other rule in the policy.
Considerations when using a rule with the whitelist action:

• A whitelist rule can use any rule logic and may include Content, Channel, and Location
fingerprints.
• Be aware of timing aspects of network sensors. The sensor will take action as soon as a
rule is matched. Therefore, if your whitelist contains logic that matches after other rules,

Fidelis XPS Guide to Creating Policies 152

 then the whitelist may not be effective. For example, consider a Whitelist rule based on a
content fingerprint. To be effective, you may want to use Delay Analysis on the Content
fingerprint. This is not a concern when the policy is applied to a Fidelis XPS Mail sensor.
• A whitelist rule can be applied to any policy, including the Policy Feeds available at
Policies>Insight page. When a rule is added to a Policy Feed, all other rules are not
impacted and will be updated whenever the feed is updated.
This last point applies to all rules, not only those with a whitelist action. Therefore, you can
add your own rules to Policy Feeds without impacting the ability to receive rule updates
from the feed.

Expand Policy Information

Click on a row, or click expand all to reveal sensor and rule information associated with a policy.
The sensor and rules display in links that you can click to access Policies>Assignments and
Policies>Rules pages.
You can edit or delete an existing policy or add a new one. If a policy has been assigned to a
sensor it is in use as indicated by the plug [Link] a policy depends on the status of the
, refer to Policy Versions.

Policies Page
The Policies page can be sorted by any column on a page in either ascending or
descending order.
To do this:
Click the column header to sort by that column.

If a policy is in use by a sensor, this is indicated by the icon.

The or icons display when a column has been sorted. You can only sort by one column at
a time.

You can also elect to show or hide unused policies. Unused policies are indicated by a icon
next to the component name. Unused policies are those not assigned to a sensor.

The indicates the current show or hide status. The default is to show all policies.

Click to hide or to show unused policies.

The indicates the current show or hide versions of policy, rule, fingerprint, or
fingerprint macros. The default is to hide versions. Refer to Policy Versions for more information.

Fidelis XPS Guide to Creating Policies 153

Define a Policy
To define a policy:

1. Click Policies>Policies.

2. Click Add Policy. The New Policy page appears.

or
Click the appropriate policy and click Edit Policy. The edit page appears for the selected
policy.

Figure 55. Policy Edit

3. Enter a name for the new policy. Names are required and must contain valid characters
(alphanumeric plus dash and underscore). You cannot change the name of an existing policy.

4. Enter a description of the policy in Comments.

5. Click appropriate rules for the policy.

6. Click Save Changes.
You can also click Policy Wizard to save changes and proceed to the next step in creating
and assigning a policy. Refer to Policy Wizard.
Changes to a policy that has been previously assigned and downloaded to a sensor will have no
effect until the sensors are updated.
If you added a new policy, it displays in the Policies page. To make a new policy active, assign it to
a sensor.
Refer to Assign a Policy for more information.

Fidelis XPS Guide to Creating Policies 154

Copy a Policy
You can copy an existing policy, save it under a new name, and edit as needed. The new policy
includes all properties from the original, except for the date properties, which will reflect the time
and user name that created the copy. The new copy will not be assigned to any [Link] can
copy each policy multiple times, as long as it is saved under a unique name.
To copy a policy:

1. Click Policies>Policies.
2. Open the row of the policy you wish to Copy.
3. Click Copy. The Copy dialog box displays.
4. Enter a new name in the Save As text box or keep the default name.
5. Enter comments, if needed.
6. Click Save.
7. Click Edit to make any needed changes to the new policy.
8. Assign the new policy to sensors as needed.

Export Policies
If you have Full Policy permissions, you may export All Policies or individual policies.
To export All Policies:

1. Click Policies>Policies.
2. Click Export All Policies button at the bottom of the page.
A compressed tar file with a .tgz extension will be created and transferred to your browser. Your
browser may offer several options based on your browser settings, which may allow you to open or
save the file. If you are not offered these choices, check your browser settings for handling of .tgz
files.
This file will contain all policies and all policy components on your CommandPost, including all
fingerprints and macros not included in a rule, all rules not included in a policy, and all policies not
assigned to a sensor.
To export a single Policy:

1. Click Policies>Policies.
2. Click the row of the policy you wish to export.
3. Click Export Policy
A compressed tar file with a .tgz extension will be created and transferred to your browser. Your
browser may offer several options based on your browser settings, which may allow you to open or
save the file. If you are not offered these choices, check your browser settings for handling of .tgz
files.
This file will contain the exported policy and all associated components (rules, fingerprints, and
macros).
You can now import these policies back to your CommandPost or to another location. Refer to
Import.

Fidelis XPS Guide to Creating Policies 155

Delete a Policy
Deleting a policy depends on the status of the , refer to Policy Versions.
To delete a policy:

1. Click Policies>Policies.

2. Click the appropriate policy.

3. Click Delete Policy.
4. Click OK at the confirmation dialog box.
The deleted policy is removed from the Policies page.
If you have a hierarchical environment:
From a Master CommandPost, you can use the Global Delete option to delete a policy
or policy components (fingerprints, rules. and macros).
Click Delete and you will be provided with an option to delete locally (only on the
Master CommandPost) or to delete globally (Master CommandPost and all
Subordinates).
Note: On the Subordinate, the policy will be deleted only if it is not assigned to any
sensor (default criteria applicable for deletions). The rule will be deleted if it isn’t
assigned to any policy, fingerprint and macros will be deleted if not assigned to any
rule.

Fidelis XPS Guide to Creating Policies 156

Chapter 9 Assignments
Policies have no impact until they are assigned to a sensor and the sensor is updated.
The assignment process creates a mapping of policies to sensors on the CommandPost. This
mapping is not transferred to the sensor until the sensor is updated. This allows you to define and
modify policies without disrupting policies that are being executed on your sensors.
The Assignment page lists sensors under the CommandPost to which they are assigned.

Assign a Policy
To assign a policy to a sensor:

1. Click Policies>Assignments to access the Assignments page.

2. Click the appropriate sensor. The policies listed are those currently running on the sensor. If
no policies are assigned, this is indicated. Opening the sensor row displays the buttons:
Export Assignments, Update Sensor, View Update Log, and Edit Assignments.
3. Click Edit Assignments. Policies currently assigned to the sensor are checked. If the
checkbox is greyed out, you cannot assign those policies.
If your environment uses a hierarchy of Master and Subordinate CommandPosts, refer to
Hierarchical Management and Assigning Policies.
Note: Fidelis Policies that were auto-assigned at the Policies>Insight>Policy Feed page
are not available for assignment. Refer to Policy Feeds.
4. Select (or unselect) policies as needed.

5. Click Save Changes. After a change is saved, the Last Modified information updates with the
new time and user information.
Note: Importing assignments changes the Last Modified information to the import
time and user
6. Click Update Sensor. When policies are updated, a green square displays.
Note: Update can take several minutes.
Alternatively, click update all sensors at the top of the page. This updates all registered sensors
that require an update.
The Assignments page provides a status icon for each sensor:

• A green square: the policies running on the sensor match those assigned to the sensor on
CommandPost. No update is required in this case and the Update Sensor button will not be
available.

• A yellow arrow: the policies assigned to the sensor on CommandPost differ from the policies
running on the sensor. An update is required for the assignments to be transferred to the
sensor. Any change to a policy or policy component (rule, fingerprint, or macro) will cause this
status.

• A red exclamation point: CommandPost has lost communication to the sensor. It is not
possible to retrieve the set of running policies.

Fidelis XPS Guide to Creating Policies 157

Hierarchical Management and Assigning Policies
The hierarchical environment supports two main usage requirements:

• All policies can be managed from the Master CommandPost. In this mode, policies should
be created and modified on the Master. By logging into the Master CommandPost, policies
can be assigned to all sensors, including those registered to Subordinate CommandPosts.
All sensors can be updated from the Master CommandPost by clicking update all sensors at
the top of the Assignments page. This updates all sensors needing an update that are
registered to Master or to Subordinate CommandPosts.
You can also update only the sensors registered to a Subordinate CommandPost by
clicking update sensors on the Subordinate CommandPost section of the Assignments
page. You can also update only the sensors registered to Console in the same manner.

• By logging into the Subordinate CommandPost, local policies can be created to augment
policies managed at the Master CommandPost. This allows users to manage the
Subordinate CommandPost locally, while still employing enterprise-level policies assigned
from the Master. Clicking update all sensors at the Subordinate row, , updates all sensors
registered to the console that require an update.
Policies within the Fidelis Insight Policy Feed are managed at the Master CommandPost.
The policies that display for a selected sensor and those available for assignment depend on
whether the sensor is registered to a Master or to a Subordinate CommandPost.
A sensor row at the Assignments page contains three sections:

• Fidelis Policy relates to policies controlled at Insight>Policy Feed. At the Policy Feed page,
you can choose to automatically or manually assign policies to sensors. If you choose
automatic assignment, then this section cannot be edited but is shown for informational
purposes. Refer to Policy Feed.
• Custom Policy from Master refers to custom policies that are assigned at the Master
CommandPost. If you log into the Master, you may edit these assignments, If you log into a
Subordinate CommandPost, you may not change assignments from the Master.
• Custom Policy from Subordinate refers to custom policies that are assigned at the
Subordinate CommandPost. If you login to the Subordinate, you may edit these
assignments, If you log into the Master CommandPost, you may not change the
assignments made at the Subordinate.
Note: To perform policy Assignment from the Master CommandPost, you must have an
account on the Subordinate CommandPost with a role that includes Full access to
Policies.

Export Assigned Policies

If you have Full Policy permissions, you may export the policies assigned to a sensor.
To perform the export:

1. Click Policies>Assignments.
2. Click the row of the sensor whose policies you wish to export.
3. Click Export Assignments.
A compressed tar file with a .tgz extension will be created and transferred to your browser. Your
browser may offer several options based on your browser settings, which may allow you to open or
save the file. If you are not offered these choices, check your browser settings for handling of .tgz
files.
The exported file will contain all policies and all associated components (fingerprints, macros, and
rules) assigned to the current sensor. If a sensor update is required, the exported policies will be

Fidelis XPS Guide to Creating Policies 158

 those currently assigned to the sensor in CommandPost, which is not the same as the policies
running on the sensor.
You can now import these policies back to your CommandPost or to another location. When you
import the assigned policies and select the option Import File Overwrites Database Entry the
original sensor will change to the files in the import file. Refer to Import.

View Update Log

Click View Update Log to display the current update log. The update log is a log of the latest
update requests from this sensor to CommandPost. For hierarchically managed CommandPosts,
the update log will also contain Master CommandPost to Subordinate CommandPost error logs in
case any errors were encountered while pushing assignments from Master to Subordinate.

Fidelis XPS Guide to Creating Policies 159

Chapter 10 Insight
Insight provides configuration options to use threat intelligence from General Dynamics Fidelis
Cybersecurity Systems, Inc., which is available in multiple forms:

• Feeds represent streaming intelligence regarding malicious Internet sites and malicious
files. The raw data is accumulated by Fidelis and made available at a Fidelis owned and
maintained Insight Feed Server known to CommandPost. You may also configure
CommandPost to use other sources of intelligence available to you by adding custom
feeds. Configured feeds can be used by Reputation Location fingerprints to create rules and
policies and define the reaction by the sensor if such a policy is violated.
• IP-to-ID represents streaming IP Address to domain username resolution. If you have an
A10 Networks Network Identity Management System, you can configure CommandPost to
directly access its records. Alternatively, you may supply this information in a custom feed.
The IP-to-ID feed includes a mapping of domain username to IP Address including the
active login and logout times. This data will be used in Directory Location fingerprints so
that rules and policies can be created based on the domain username. Fidelis sensors will
react when the IP Address associated with the username is detected on the network. This
data will also be used to augment alert data with details extracted from your Directory
server about the domain user. Refer to chapter 13 in the User Guide.

• The Fidelis Policy Feed represents automated access to rules and policies created by the
Fidelis Threat Research Team. These policies can be pushed directly to sensors so that
policy updates are immediately active on your system if desired.
Updates are pushed to Fidelis policies including those that have been modified by a user.
User changes, however, are not affected by policy updates. The update will create a new
version of the policy with the user’s changes and the changes from Fidelis merged together.
• The Collector feed is used to apply the hash values of newly detected malware to data
stored in a Fidelis XPS Collector. The result will be an alert for any evidence that these files
were found on your network before the feed was updated.
Access to Insight requires a role that provides Policy permissions to access the Insight page.
When you enable the Policy Feed, statistics will be collected and sent to Fidelis. To disable this
feature, you must acquire a license to disable feedback. You may also acquire a license to operate
CommandPost in a disconnected or air-gapped manner. If you have an air gap license refer to Air
Gap for details about proper configuration for air gap operations

Hierarchical Management and Feeds

Fidelis, Collector, and Policy feeds are sent to Subordinate CommandPosts from the Master
CommandPost.
Refer to chapter 13 in the User Guide.
Custom feeds are configured at the Feed Config page. They may be created at the Master
CommandPost and applied globally to all Subordinate CommandPosts. Refer to Hierarchical
Management and Custom Feeds.

Feed Config
Feed Config is used to establish a connection between CommandPost and the feed source and to
begin regular updates of feed data. Once configured, feed data can be used by DNS alerts.
Refer to chapter 13 in the User [Link] DNS Decoder information.

Access Feed Config

To access this page, click Policies>Insight>Feed Config.

Fidelis XPS Guide to Creating Policies 160

The Feed Config page displays the Fidelis feed and any custom feeds previously created. The
page columns indicate whether or not each feed is enabled, the feed status, and provides a name
and description for each. Refer to Feed Status for more information.
At the Feed Config page you can enable or add custom feeds. The Fidelis Feeds are automatically
enabled if you enabled the Policy Feed or the Malware Detection Engine. The Fidelis Feeds are
integral to the operations of Fidelis Policies and the MDE.
Refer to chapter 14 of the User Guide.

Status Values
The feed status indicates the state of the feed:
Disabled: The feed is disabled. For custom feeds, click the row and click the Enable checkbox to
enable the feed. You cannot enable or disable Fidelis feeds.
Static:The feed is based on static feed data uploaded through the user interface. To update the
data, click the row and click Manual Update. Provide the file that contains the feed data.
Dynamic: The feed is fully operational from a web server that you provide.
For details on the format of feed data files, refer to Custom Feeds.

Configure the Fidelis Feed

The Fidelis Feed is integral to the operation of the Policy Feed and the Malware Detection Engine.
The feed is automatically enabled or disabled based on configuration of those operations. Refer to
Policy Feed and Malware Detection.
Refer to chapter 14 of the User Guide.
To configure the Fidelis Feed:

1. Go to Policies>Insight>Feed Config and click Fidelis Feeds. Fidelis Feeds are enabled or
disabled based on Policy Feed and Malware Detection Engine configuration. You cannot
change these values at the Feed Configuration page.

Figure 56. Insight: Fidelis Feed Configuration

2. If CommandPost needs to access the Fidelis Insight Feed Server through a proxy, use the
Feed Proxy Config screen to set up necessary proxy parameters. This page is available at
System>CommandPost Config>Proxy Config. Refer to chapter 13 in the User Guide.
3. The timeout refers to the time CommandPost will wait for the Fidelis Insight Feed Server to
respond. If the connection to a Fidelis Insight Feed Server experiences a timeout, you may
need to increase the timeout value from the default 15 seconds to allow the Fidelis Insight
Feed Server more time to respond. The number of records downloaded and the time of the
last update will be shown.
4. Enter a value for Refresh Frequency to determine when new feed information is
downloaded. The default is hourly with downloads beginning one hour from the time you
Save or Test the configuration, one hour after system restart, or one hour after the last

Fidelis XPS Guide to Creating Policies 161

 download. If you choose Daily, you can select the time of day to perform the download. You
can also select Specify and enter the number of minutes between the feed refresh minimum
and 999 minutes. The Fidelis feed has a minimum refresh of 60 minutes. Consult your feed
source to learn the minimum refresh for specific feeds.
5. Click Save. Saving configuration changes to a dynamic feed can take several seconds
because files are fetched from the location specified at the Location (URL) and loaded to
memory during Save.

Custom Feeds
Custom feeds represent intelligence available to you regarding malicious sites or files. A feed can
be supplied in either Comma Separated Values (CSV) or XML file formats. Each entry in the feed
represents a feed record used by Fidelis XPS sensors to detect network activity.
To deploy a custom feed, you need to

• Create the feed file.

• Add and configure the feed.

Create the Feed File

Creating a file for a custom feed involves the following:

• Select a format for your file to represent your data: either CSV or XML. Refer to Format
Types.
• Determine the feed content type. Refer to Feed Content Types.

• Adapt data for Fidelis XPS by specifying field names. Refer to Field Names.
Memory needed for each feed entry depends on how you define the feed entry. The recommended
size limit is 100,000 entries per feed content type (You can have multiple feed files for the same
type). If there are more than 100,000 entries for a content type, truncation or errors can occur. The
sensor log file /FSS/log/[Link] can provide information about truncation or errors.
Refer to Logs.
Refer to chapter 13 in the User Guide.

Feed Content Types

Each feed file must contain one of the feed content types either: DNS Domains, Email Address, IP
addresses, MD5 File Hashes, or URLs. The content of the feed file can be specified when the feed
is created. By specifying the feed type, CommandPost can display the feed at the appropriate
Policy create page.
A mixed feed is a file that contains records of two or more types. For example, the first line of the
file may indicate a URL to match, while the second line indicates an IP address. Each line in the file
represents a record and each record must contain only one type to match. If a single line contains
multiple types, the results are unpredictable. When creating a mixed file, each record must include
the correct number of columns (for a CSV file format) or tags (for an XML file format).
If the feed type is not specified, a default value of Mixed is assigned and the feed will appear for all
Policy creation pages that use feeds. The use of a mixed type is not ideal as it may lead to
inconsistent policies.

Fidelis XPS Guide to Creating Policies 162

Field Names
Feed files require field names so that Fidelis XPS sensors can recognize the feed entry and use it
to detect network activity. Field names refer to CSV column or XML tag names and are specified
with one of the following values:
dns_domain: The DNS decoder matches a domain name lookup using the DNS protocol. You
need to use a fully qualified domain name such as [Link] or
[Link]. DNS feed data will only be used if the DNS decoder is enabled on the
sensor. DNS feeds are used by the DNS decoder.
Refer to DNS Decoder.
Refer to chapter 13 in the User Guide.
email: Email matches complete email addresses such as: jdoe@[Link] or the domain
portion of the email such as: @[Link]. The email feed file needs to be composed to
match tags defined in the custom feed.
ip: The IP Address and any other qualifying data in the feed match the network session. For
example, if the feed contains only an IP Address, then all activity involving this IP will match the
feed. The feed entry may also contain port, protocol, filename, transport, and host name. Each of
these fields will be used to qualify the matching IP address in TCP traffic, so that if the IP address
matches the feed but at least one of these fields not do match, there will not be a match.
If the sensor detects UDP traffic it will ignore protocol, filename, and host name. If the feed entry
contains a port number or transport, all values must match UDP traffic.
Note: IP addresses must be presented as IPv4 addresses in CSV or XML formats.
The following additional fields can be supplied to qualify the match:

• hostname
• port
• protocol
• file
• transport (Can have the values of tcp, udp,or left unspecified). If left unspecified, only
TCP traffic is analyzed.
md5 (32-byte hex format): Any file transferred on the network matches an MD5 hash in the
[Link] feed analyzer detects content during the decoding process, by comparing MD5 of a file on
the network against the MD5s provided in feed
url : The URL associated with the network application protocol matches the feed data. Only fully
qualified URLs will match. For example, if the feed contains [Link]/xyz, access to this URL
will match, as will any access to URLs that include the feed data (for example,
[Link]/xyz/index). With this example, access to [Link] or [Link]/abc will not
match the feed. Refer to URL Wildcards for more information.
The feed may contain other useful information. This data will not be used for network matching
purposes, but will be included within the alert details of any alert generated by matching a
reputation or email fingerprint.
Refer to Format Types for more information about specifying the CSV header and XML tags that
identify feed components.
In addition, the feed may specify any other information that is necessary. Any additional data will
appear in the alert details of an alert based on a match of the record.

Fidelis XPS Guide to Creating Policies 163

Format Types
Feed files can be in either CSV or XML format types. Feed files created before version 7.7 might
have the IP List format, but users are advised to modify these feeds to CSV or XML formats as
support for IP List format is obsolete.

C SV F or m at
Comma separated values can be used to supply dns_domain, email, ip, md5, and url information
You can also supply additional information.
Additional information is not used for any matching unless used with an IP address. Refer to IP.
Even if not used for matching, additional information displays with the matched parameters in the
Violation Information section of the Alert Details page.
Lines that begin with a pound sign # are ignored as comments.
DNS Domains feeds can be specified as:
Assume CSV header is: "dns_domain;extra_info"
#dns_domain,extra_info
[Link],info1
[Link] ,info2
Email Addresses feeds can be specified as:
Assume CSV header is: "email;extra_info"
#email,extra_info
@[Link],info1
jdoe@[Link] ,info2
IP Addresses feeds can be specified as:
Assume CSV header is "ip;port;protocol;hostname;extra_info"
#ip,port,protocol,hostname,extra_info
[Link],80,http,[Link],info1
UDP or TCP example for IP Addresses feeds can be specified as:
Assume CSV header is; "ip;port;transport;extra_info"
#ip,port,transport,extra_info
[Link],80,udp,Bad_udp_IP
[Link],80,tcp,Bad_tcp_IP
MD5 File Hashes feeds can be specified as:
Assume CSV header is: "md5;extra_info"
#md5,extra_info
123456789abcdef0123456789abcdef0,info1
123456789abcdef0123456789abcdef1,info2
URL feeds can be specified as:
Assume CSV header is: "url;extra_info"
#url,extra_info
[Link],info1
[Link],info2

Fidelis XPS Guide to Creating Policies 164

X M L F o rm a t
XML files can be used to supply IP address, URL, port, protocol, host name, filename, dns domain,
email address, and additional information. Each entry must supply exactly one record of
information, equivalent to a single row within the CSV format. When you define an XML file, you
must supply the row tag, which is the name of the XML tag that defines each row. In each of the
examples below, the row tag is "entry".
DNS Domains feeds can be specified as:
The following example uses a wildcard that will match [Link]. Using wildcards is not necessary
if your feed fully describes all domains you wish to match.
<MyDNSfeed>
<description>Sample Feed</description>
<entries>
<entry>
<dns_donmain>*.[Link]</dns_domain>
<extra_info>info1</extra_info>
</entry>
<entry>
<dns_domain>[Link]</dns_domain>
<extra_info>info2</extra_info>
</entry>
</entries>
Email Addresses feeds can be specified as:
<Myemailaddressfeed>
<description>Sample Feed</description>
<entries>
<entry>
<email>@[Link]</email>
<extra_info>info1</extra_info>
</entry>
<entry>
<email>jdoe@[Link]</email>
<extra_info>John Doe,1234,Marketing</extra_info>
</entry>
</entries>
IP Addresses feeds can be specified as:
<MyIPfeed>
<description>Sample Feed</description>
<entries>
<entry>
<ip>[Link]</ip>
<port>80</port>
<protocol>HTTP</protocol>
<hostname>[Link]</hostname>
<title>Sample IP Address Record</title>
</entry>
<entry>

Fidelis XPS Guide to Creating Policies 165

 <ip>[Link]</ip>
<port>9000</port>
<protocol>HTTP</protocol>
<hostname>[Link]</hostname>
<title>Another sample IP Address Record</title>
</entry>
</entries>
</MyIPfeed>
MD5 File Hashes feeds can be specified as:
<MyMD5feed>
<description>Sample Feed</description>
<entries>
<entry>
<md5>123456789abcdef0123456789abcdef1</md5>
<extra_info>Information about this MD5</extra_info>
</entry>
<entry>
<md5>123456789abcdef0123456789abcdef0</md5>
<extra_info>info2</extra_info>
</entry>
</entries>
</MyMD5feed>
URL feeds can be specified as:
<MyURLfeed>
<description>Sample Feed</description>
<entries>
<entry>
<url>[Link]</url>
<extra_info>info1</extra_info>
</entry>
<entry>
<url>[Link]</url>
<extra_info>info2</extra_info>
</entry>
</entries>
</MyURLfeed>
</MyDNSfeed>

UR L Wi l d c ar d s (C S V a n d X M L f e ed f o r m ats )
Feeds can use an asterisk (*) as a wildcard to match a domain or subdomain. To use this feature,
URLs in your feed require an explicit wildcard to the left of your feed record.
Feed matching uses an implicit wildcard on the right. Anything that follows the path will be
considered a match. The * is not needed at the end of the path, but if the asterisk is specified, it will
be stripped out. For example:
hostname/path/to/bad/resource
will match the following URLs:

Fidelis XPS Guide to Creating Policies 166

 hostname/path/to/bad/resource/
hostname/path/to/bad/resource/subresource
hostname/path/to/bad/resource?query
Wildcards are not supported in the middle of a URL record.
Wildcards in URL hostname subdomains
You can specify a subdomain wildcard in the URL hostname using *. (asterisk plus period). For
example:
*.[Link]/path/to/bad/resource
will match the following URLs:
[Link]/path/to/bad/resource
[Link]/path/to/bad/resource
[Link]/path/to/bad/resource/subresourc
e?query
An asterisk wildcard (*) without a period (.) is not supported. For example the following is invalid:
*[Link]
URLs that will match any path
You can specify a domain such as: [Link] that will match the following:
[Link]/path/to/bad/resource
but not
[Link]/path/to/bad/resource
URL paths that will match any hostname
You can leave out the hostname entirely and specify just a URL path. For example:
/path/to/malware/on/any/host
will match the following URLs:
anyhostname/path/to/malware/on/any/host
anyhostname2/path/to/malware/on/any/host/etc?etc
Note: the URL must start with a slash (/) in this case.
Additional Information
Specifying a URL similar to the following in a custom feed record is not supported:
*/path/to/malware

IP L i st
Before version, 7.7, you could create feeds with an IP List format type. Existing feeds with this
format type are currently supported, but users are advised to create new feeds with IP address
information in either CSV or XML format types.

Fidelis XPS Guide to Creating Policies 167

Add and Configure Custom Feeds
An unlimited number of feeds can be supplied to CommandPost. A Custom feed must first be
added to CommandPost, then configured. Once configured, feed data can be used by Location
fingerprints, URL Content fingerprints, the DNS decoder, and in URL and UDP prevention.

T o a d d a n e w f e e d:
1. Go to Policies>Insight>Feed Config and click Add Custom Feed.
2. Enter the name of the feed source. The entered name must be unique among all custom
feeds on CommandPost.
3. Optional: Add a description which will be displayed in the list of feeds on the Feed Config
page and on the Location>Reputation edit page. To configure a custom feed:
Custom feeds can be setup for a one-time manual upload, manual refresh, or automated refresh
from a Fidelis Insight Feed Server accessible via CommandPost.

Figure 57. Insight: Custom Feed Configuration

T o c o nf i g u r e t h e f e e d:
1. Go to Policies>Insight>Feed Config and click the name of the feed.
2. Click Enable to enable the feed on the CommandPost.
If you have a hierarchical environment and are logged on to the Master CommandPost, you
can click Global Feed to save the feed on the Master and on all Subordinate
CommandPosts. Refer to Hierarchical Management and Custom Feeds.
3. The description will reflect the text entered when the feed was added. It may be changed on
the configuration screen at any time
4. If needed, you can deactivate the feed by unchecking the Dynamic box. This will place the
feed in the Static state. Use this state for feeds that will be updated manually.
Clicking the Dynamic checkbox will reveal configuration requirements for feed retrievals:
Use Proxy, Verify SSL certificate, Location (URL), user and password. These fields are not
required if Dynamic is unchecked.
5. Click Use Proxy to enable CommandPost to access a feed server through a proxy. Use the
Feed Proxy Config screen to set up the necessary proxy. If the source of your feed can be
accessed without going through your network’s proxy server, uncheck Use Proxy. Refer to
chapter 13 in the User Guide.

Fidelis XPS Guide to Creating Policies 168

 6. Ensure that Verify SSL certificate is checked If the URL of the feed has a verifiable SSL
certificate, otherwise uncheck it.
7. The timeout refers to the time CommandPost will wait for the feed server to respond. If the
connection to a feed server experiences a timeout, you may need to increase the timeout
value from the default 15 seconds to allow the feed server more time to respond.
8. Enter a value for Refresh Frequency to determine when new feed information is
downloaded.
The default is hourly. The first download will happen when you save the configuration or
when the system starts up. The next download will happen one hour from the last
download. Note that clicking Download Now will do a refresh immediately, but will not
change the refresh schedule. For example, if you click Download Now 55 minutes after the
last automatic refresh, and your refresh interval is hourly, then 5 minutes after your
download, auto refresh will still happen.
If you choose Daily, you can select the time of day to perform the download. You can also
select Specify and enter the number of minutes between the feed refresh minimum and 999
minutes. Consult your feed source to learn the minimum refresh of custom feeds.
If Dynamic is enabled, new feeds are fetched according to the set refresh frequency or
when any feed configuration changes are saved. Optimal refresh frequency is the one that
correlates to the frequency of feed updates on the feed source.
The Feed update is a full update, which means that all data from a previous update of the
feed will be removed and the new fetched feed file will be used.
If Dynamic is disabled, you can manually upload the feed file. The old version will be
removed when a new version of the feed file is manually uploaded.
Use the Expiry Interval to specify when to expire feed data. For static feeds, this value can
be used to expire feed data before the next manual upload. It can be useful if you wish to
expire data more frequently than the refresh of a dynamic feed. Expiry can be set for 1 or
more days. Set Expiry Interval to 0 to never expire the feed data.

9. Dynamic feeds require a location from which to retrieve data at the refresh interval. Enter a
URL that corresponds to the location of the data.
10. The source of your data may require authentication to be accessed. CommandPost will
supply the user name and password provided for the feed.
11. Select a format. For XML, enter the Row Tag associated with your XML file schema. Refer
to XML for details. For CSV, enter CSV Header Names associated with your custom file
data. Refer to CSV format for details.
12. Select Feed Content, either: DNS Domains, Email Address, IP addresses, MD5 File
Hashes, or URLs. Refer to Feed Content Types.
13. Click Save. Click Save All if you made changes to two or more feeds. Saving configuration
changes to any feed will cause all dynamic feeds to be fetched from the location specified
at the Location (URL) and loaded to memory during Save. This can take several seconds.
If you plan to manually upload feed files you must first complete and save the feed configuration,
then click Manual Upload. The feed file must be accessible to your client workstation. Enter the
location of the file or click Browse to navigate to the file. If the file is in the wrong format, the upload
process will fail. After successfully configuring a feed, the number of records downloaded and the
time of the last update will be shown.
Number of Records Indicates the number of records downloaded and stored on the CommandPost
and sensors in the last feed update.
Last Update displays the timestamp when the feed was last updated using either the Manual
Upload feature or refreshed using the Refresh Frequency.

Fidelis XPS Guide to Creating Policies 169

 Hi er a r c hi c al M a n a g e m e nt o f F e e ds
Feeds and IP-to-ID feeds can be made available to all available Subordinate CommandPosts.
For custom feeds, click Global Feed and Save at the feed config page at the Master CommandPost
to copy the new feed configuration to all Subordinate CommandPosts. If a Subordinate
CommandPost is not available, an error message displays. The Global Feed option overwrites
custom feed configurations on Subordinate CommandPosts upon save. If you access the
Subordinate CommandPost, a global feed cannot be modified. If you delete a global feed, it will be
removed from all Subordinate CommandPosts.
To make a global feed available for configuration at a Subordinate, uncheck Global and click Save.
If you add Subordinate CommandPosts later, click Save All at the feed config page at the Master
CommandPost to copy the feed to new Subordinate CommandPosts.
The global feed setting applies to all aspects of the feed configuration. When the Master updates
the feed data, either by manual upload of a static feed or by dynamic retrieval, the data will be
made available to all Subordinate CommandPosts and all sensors registered to any of the
CommandPosts within the hierarchy. There will be a small delay for the updated feed data to reach
all destinations.
By default, Fidelis feeds are retrieved by each CommandPost from the Fidelis Insight feed server.
Subordinate CommandPosts will use the Master CommandPost to retrieve Fidelis eeds
The A10 IP-to-ID feed cannot be established in a hierarchical manner. Each CommandPost will
need to setup an interface to a local A10 system.

IP-to-ID Config
IP-to-ID requires an A10 Networks Identity Management or a custom source of IP address to
domain-user ID mapping. IP-to-ID feeds need to be configured on the CommandPost . When
configured, the feed information will correlate IP address to user identity to LDAP information.
LDAP-based fingerprints can be used to match user identities and all alerts can be augmented with
user ID information.

Access IP-to-ID Config

To access this page, click Policies>Insight>IP-to-ID Config.
The IP-to-ID Config page displays the A10 Integration feed and any custom feeds previously
created. The page columns indicate whether or not each feed is enabled, the feed status, and
provides a name and description for each.
At the IP-to-ID Config page, you can edit the configuration for A10 Integration or for custom feeds.

Configure IP-to-ID Feeds

To configure the A10 IP-to-ID feed or any custom IP-to-ID feed, the process is identical to
Configure Custom Feeds with a few exceptions.
The A10 feed must be available to each CommandPost within the hierarchy. It must be dynamic
and cannot support a global setting. Therefore, the dynamic/static and global feed controls are not
available.
Custom IP2ID feeds must use the XML format as described below. The custom feed may be set up
on the Master CommandPost and used by all Subordinate CommandPosts if the global feed option
is selected. Custom feeds can be uploaded manually if the Dynamic control is disabled.

Fidelis XPS Guide to Creating Policies 170

Custom IP-to-ID XML File Format
Each user_activity_list tag identifies a user, with a list of the user's user_activity attributes. Records
are similar to the following:

<user_activity_list>
<username>suser1</username>

<user_activity>
<user_ip>[Link]</user_ip>
<time_start>2012-07-13 [Link] -0500</time_start>
<time_end>Now</time_end>
<user_hostname>FSS-SAL-A2FF5B</user_hostname>
<server_ip>[Link]</server_ip>
<server_hostname>test-host</server_hostname>
<domain_name></domain_name>
<dc_name></dc_name>
</user_activity>

<username>Lab220</username>
<user_activity>
<user_ip>[Link]</user_ip>
<time_start>2012-07-13 [Link] -0500</time_start>
<time_end>Now</time_end>
<user_hostname>lab220</user_hostname>
<server_ip>[Link]</server_ip>
<server_hostname></server_hostname>
<domain_name></domain_name>
<dc_name></dc_name>
</user_activity>

</user_activity_list>

Fidelis XPS Guide to Creating Policies 171

Test Feed Configuration
There are two aspects to testing your feed configuration: communication to the server and network
data matching.
To validate communication, enable the desired feed and click Download Now. The number of
records accessed will be available on the CommandPost GUI. If no data is retrieved check your
feed configuration, proxy settings, and your network connectivity for CommandPost.
Note: The Download Now button becomes inactive after you change any configuration
value. You must save your configuration changes before the Download Now button
can become active. If you receive an error message stating timeout during download,
adjust the timeout value.
To validate your feed against network data you will need to generate alerts to a known host within
the feed. To test your feed:

• Configure the feed.

• Ensure that the feed shows a number of IP records greater than zero.
• Create a Location>Reputation fingerprint specifying the feed you wish to test. Apply this
fingerprint to a rule. The rule action should be: alert. Add the rule to a policy, assign the policy
to your sensor, and update the sensor.
• From a client workstation on your network visit a test site to generate an alert. Be sure that
traffic from your client workstation is monitored by the sensor to which the above fingerprint
was applied. The Fidelis Feed can be tested by accessing:
[Link]
This action will retrieve a harmless file ([Link]) from a Fidelis server. The URL and the
MD5 of the file are included in Fidelis Feeds. Therefore, this action will generate an alert if
everything is properly configured.

Fidelis XPS Guide to Creating Policies 172

Policy Feed
The Fidelis Threat Research Team periodically delivers threat intelligence through the Fidelis
Policy Feed. If enabled and configured on your Fidelis XPS system, Fidelis policies are
automatically downloaded to CommandPost and if desired, automatically pushed to sensors.
When the Policy Feed is enabled, CommandPost will provide usage statistics to the Fidelis Insight
Feed Server on an hourly basis. These statistics provide valuable information that is used to
monitor the effectiveness of the policies and to quickly identify and correct problems with the
policies. The gathered statistics will not include information about customer created policies. The
exact statistics are easily viewed on CommandPost at the Policy Feed Configuration page.
For customers with a license that excludes collection of usage statistics, these statistics are not
generated.

If your license allows air gap operations, you may access and download the policy packs through
the customer support portal. If this license is detected, the Policy Feed page will only provide an
enable checkbox that must be selected for proper operation of the policies. In addition, you will
need to obtain and install Fidelis feed updates on a daily basis or the policies will not be effective.
Refer to Air Gap.
To configure policy feeds using a normal license (not the air gap version):

1. Click Policies>Insight>Policy Feed.

2. Click Enable Policy Feed. This instructs CommandPost to retrieve policies from the Fidelis
Insight Feed Server and list them in the Available Policies section. Without enabling Policy
Feeds, you will not receive new policies or updates to current policies. You need to enable
Policy Feeds for the Collector Feed to be available.
After you click Enable Policy Feed and Save, available policies display with checkboxes.
New policies are policies that you have not reviewed before on the Policy Feed
Configuration page and are indicated with a status of New. The New status changes after
you click Save. If the Fidelis Threat Research Team adds new policies in the future, the
CommandPost system status will turn yellow until you have reviewed the policies and
clicked Save.
Policies that are chosen will be downloaded from the Fidelis Insight Feed Server. Policies
that are not checked will not be downloaded. Each policy name can be clicked to reach
documentation provided by the Fidelis Threat Research Team.
Download Information also displays after Policy Feed is enabled.
Time of Last Policy Fetch is the date and time when the Fidelis Insight Feed Server was
last accessed. This time should correspond to the configured Refresh Interval value. When
accessed, a policy is downloaded only if it differs from the last version of the policy
downloaded from the server.
Timestamp of Last Downloaded Feed is the date and time of the most recent policy.
When a fetch is attempted, only updated policies will be downloaded. The frequency of new
policies published by the Fidelis Threat Research team varies based on current needs.

Fidelis XPS Guide to Creating Policies 173

 Figure 58. Insight: Policy Feed Configuration

When you enable Policy Feeds, a notice displays about the reporting of statistics and asks
if you want to continue.
Click OK to continue.
Enabling Policy Feed enables the statistics reporting for usage of policies provided by
Fidelis and the Malware Detection Engine. It also enables the Fidelis Feed, that can be
viewed at Policies>Insight>Feed Config.
3. Enter a period of time in minutes for the Refresh Interval. This is the amount of time
between policy retrieval. The default is 1440 minutes (once every 24 hours). Once per
interval, the Fidelis Insight Feed Server will be queried for any changes to policies that are
selected. If updates are available, for selected policies, they will be downloaded to
CommandPost.
4. Specify a value for Timeout of at least 15 seconds. This is the amount of time that
CommandPost will wait for a server response. If the connection to the Fidelis Insight Feed
Server experiences a timeout, you might want to increase the value to allow the Fidelis
Insight Feed Server more time to respond.
5. Select one or more policies or click the checkbox for Select All. Selected policies will be
updated when you click Save or during the next refresh interval if there is any change from
existing policies.
6. Select either Manual or Automatic Sensor update mode.
If you select Manual, policy updates will be loaded to CommandPost. You can review and
modify all downloaded policies and policy components on the Policy pages. When you have

Fidelis XPS Guide to Creating Policies 174

 completed the review process, you may visit the Policy>Assignments page and click Update
to update the appropriate sensors.
If you select Automatic, after policy download, all sensors are updated. This process will
push all policy changes, including any custom policies that reside on CommandPost.
7. Select the sensors on which you want to assign policies. Clicking All registered sensors
means that selected policies will be assigned to all registered sensors, including any new
sensors that will be added and registered later.
If a sensor is selected, all selected policies will be added to the sensor's assignments. If a
sensor is not selected, you will need to visit the Policy>Assignments page to update the
assignments for sensors. Updates will follow the manual or automatic process as described
above in step 6. Refer to Policy Update and Policy Assignments to Sensors.
Note: Policy feeds cannot be assigned to sensors from a Secondary Policy
Manager.
Refer to the Overview chapter in the User Guide.
8. Click Test to verify communication with the server. The results are displayed on the page.
9. Click View Log if desired, to see feedback content. Hide Log hides feedback content.

10. Click Save. This can force a policy update before the specified Refresh Interval. A
confirmation dialog box displays stating that usage statistics are collected. Click OK to
continue.

Policy Update and Policy Assignments to Sensors

Policy update and policy assignment to sensors are two different operations.
Policy Update normally occurs when Update Sensor is clicked at the Policies>Assignments page.
Selections at the Insight>Policy Feed page decide whether you need to click Update Sensor when
a policy feed changes or whether it is done automatically.
If you select:

• Manual: you will need to click Update Sensor on the Policies>Assignment page when a
policy feed changes. The status icon will change from yellow to green.
• Automatic: The sensors are updated for you when policy updates are successfully
downloaded. You will not get a yellow status icon when policy feeds are downloaded.
Sensor assignment normally occurs when Edit Assignments is clicked at the Policies>Assignments
page. The sensor checkboxes at the Insight>Policy Feed page decide whether you need to click
Edit Assignments or whether it is done automatically.

• If no sensors are selected at Insight>Policy Feeds, you need to click Edit Assignments at
Policies>Assignments and assign policies to sensors. Then click update sensors.
• If you select one or more sensors, then any selected policy feeds will be assigned to that
sensor. - If you select All Sensors, then selected policy feeds will be assigned to all sensors
-- even to sensors added later.
Note:when a new sensor is added, it may take up to one refresh interval
(default 24 hours) until policies reach the new sensor.
• If policies are unselected, policy assignments will not change regardless of the settings on
the page. You will need to visit the Policy>Assignments page and edit the assignments to
remove policies.

Fidelis XPS Guide to Creating Policies 175

Insight Policy Tuning
Customizing rules, fingerprints, and macros delivered via the Insight Policy feed is not
recommended, with the exception of certain dedicated whitelisting fingerprints. These fingerprints,
listed below, are already integrated into the Insight rule expressions. The fingerprints contain
default values or may be empty, and are intended to be managed by policy authors. The whitelist
fingerprints provide for filtering of false positive alerts based on IP, URL, MD5, email addresses,
domain, and filename.
Note: Not all rules are designed to use all of the whitelisting fingerprints. Refer to the
rule expression before tuning.
The dedicated whitelisting fingerprints listed below are available for customization.
Table 9. Dedicated Whitelisting Fingerprints

Fingerprint Name Do not alert if: Ranges allowed Regular

Expression

[Link] the data originates from Source IP No

this list of IP addresses. addresses
[Link] the data destination is to Destination IP No
this list of IP addresses. addresses
[Link] the session involves any IP Source, destination No
addresses from this list. client/server IP
addresses
[Link] the session involves any IP Source, destination No
addresses from this list. client/server IP
addresses
[Link] the session involves any IP Source, destination No
addresses from this list. client/server IP
addresses
[Link] the HTTP protocol Any portion of a No
references any of the URL address
URLs in this list.
[Link].MD5 the object matches any of MD5 checksums No
the MD5 checksums is this
list.
[Link] the file matches any of the Filenames No
filenames in this list
[Link] the HTTP protocol Any portion of a Yes
references any of the URL address
URLs in this list.
[Link].SMTP_Addresses any of the recipients of the Email addresses or No
email message are in this domains
list.
[Link] the session involves any IP Source, destination Yes
nsfers addresses from this list. client/server IP
addresses
[Link] the session involves any IP Source, destination Yes
pertyTransfers addresses from this list. client/server IP
addresses

Fidelis XPS Guide to Creating Policies 176

 Fingerprint Name Do not alert if: Ranges allowed Regular
Expression

[Link] the session involves any IP Source, destination Yes

nsfers addresses from this list client/server IP
addresses
[Link] the session involves any IP Source, destination No
cations addresses from this list client/server IP
addresses

Collector Feed
Every day, MD5 hash values of newly detected malware are added to the Fidelis feeds. Those
values are made available to Fidelis XPS sensors when the feed is updated per the refresh
frequency chosen at the Feed Config page. After the feed is updated on the sensor, an alert will be
generated if the newly detected malware is found on your network. The Collector feed is used to
apply the hash values of newly detected malware to data stored in a Fidelis XPS Collector. The
result will be an alert for any evidence that these files were found on your network before the feed
was updated. You may think of these alerts as historical evidence of malicious files in the recent
past. On the Collector Feed page, you can choose one or more of the Fidelis feeds that contain
MD5 file hash values. Each night, new MD5 files will be compared to all data on all Fidelis XPS
Collectors registered to CommandPost. If the MD5 is found, an alert is generated using the severity
chosen on the page.
Note: It is likely that the malware was detected by the Malware Detection Engine of a
Fidelis XPS sensor when the file was transmitted in the network. If such an alert is
detected in CommandPost, the alert generated by Collector will not be inserted to
avoid alert duplication. Therefore, when the malicious file has already created an alert,
choosing Collector Feeds will not create duplicates
If your license allows for air gap operation, the Collector feed behaves differently than described
here. Refer to Air Gap.
To configure Collector feeds:

1. Go to Policies>Insight>Collector Feed.

Figure 59. Insight: Custom Feed Configuration

2. Select one or more feeds or click the checkbox at the top of the Enabled column to select
all feeds.
Note: The Fidelis Policy feed or Malware Detection Engine must be enabled or
the Collector Feed page will be empty.
3. Select an alert severity for each assigned feed: Low, Medium, High, or Critical.
4. Select an alert management group.
5. Click Save Changes.
By default, the Collector Feed runs at 2:00 each night over Metadata. To change this time,
visit Metadata>Automation. .
Refer to chapter 7 in the User Guide.

Fidelis XPS Guide to Creating Policies 177

Alerts generated by the Collector Feed will have slight differences to alerts generated by Fidelis
XPS sensors:

• The rule name and policy name will be: Collector Feed. To identify these alerts, you can
search for Collector Feed in either rule or policy.
• The rule summary will include the feed name and the Collector name.
• Because the alert is generated by metadata, the alert will lack session details. Therefore,
the Alert Details page will lack recorded session, forensic data, execution forensics, and
malware information. The decoding path will not be clickable.

Fidelis XPS Guide to Creating Policies 178

Chapter 11 Import
30 31 32
You can import files containing policy , rule , macro, or fingerprint information to the
CommandPost. To use this feature. you need to full permissions to policies. Refer to chapter 12 in
the User Guide.
Note that importing policies and their elements (rules, fingerprints, and macros) into CommandPost
can affect the Created and Last Modified information included in the imported policy.

• For policies created by Fidelis XPS, Created and Last Modified dates and user information
are not affected.
• For all other policies, if the original user exists in CommandPost, then the Created and
Last Modified dates and user information are not affected. If the user does not exist, then
the Created and Last Modified dates and user information will be the date of the import and
the user performing the import.
To import:

1. Click Browse to locate the import (.tgz) file on your workstation. Files must be tar-gzipped files
with a .tgz extension.
2. Upload the file. The Policy Import dialog box displays with the name of the selected file.

Figure 60. Policy Import

3. Select an option for conflict handling. A conflict occurs when any policy component has the
same name as an existing component on the CommandPost. This tells Import what to do if it
detects a conflict.

• Ignore Import File–will ignore the conflicting component in the import file. This is the
default option.
• Import File Overwrites Database Entry– a conflicting component in the import file will
create a new version of the component on CommandPost.
• Erase All Policies Prior to Import–this erases all existing polices, rules, fingerprints, and
macros before importing, thus eliminating all potential conflicts.
Note: Use this option with caution. If the import fails you will not have any policies
on the CommandPost.

30
A policy is a set of rules that guide business practices within an enterprise. Some examples
include determining acceptable use of network resources, preventing transmission of sensitive
information, and ensuring compliance with privacy laws.
31
Fidelis XPS uses rules to determine what are acceptable and unacceptable network data
transmissions. When an unacceptable network data transmission is detected, a rule determines
what action will be taken.
32
In Fidelis XPS, fingerprints describe attributes of network data transfers in terms of the content,
the sender/receiver (location), or the method of transfer (channel).

Fidelis XPS Guide to Creating Policies 179

4. Select an option for error handling: either Stop Importing on First Error or Ignore Errors and
Proceed.
Errors in files can be caused by a bad file structure or a policy or rule that refers to a policy
component (fingerprint, macro, or rule) not found in the import file or on CommandPost.
These errors need to be fixed before you can successfully export and import these files.
If you cannot fix a file with errors, contact Technical Support.
The import can take several minutes depending on the size of your import file. When complete, the
Policy Import Result displays.

Fidelis XPS Guide to Creating Policies 180

Appendix A: Best Practices for Policy Creation
The typical environment will employ a combination of Fidelis Insight Policy Feeds, Malware
Detection Engine, and custom policies. These systems interact in ways that may impact the
performance of your system. This section describes Best Practices that are recommended for use
of Fidelis XPS.

Understanding Policy Operations

Before attempting to write custom policies, review and understand the following in the Fidelis XPS
Policies Overview.

Using the Fidelis Insight Policy Feed

Adopt a naming convention.
Fidelis policies and rules begin with “FSS_” and Fidelis fingerprints begin with “F.” When
creating custom policies, rules, fingerprints, and macros, Fidelis recommends that you
adopt a naming convention suitable to your needs and that you do not use “FSS_” and “F.”
so you can easily identify your custom policies, rules, fingerprints, and macros.

Understand policy versions. Refer to Policy Versions.

Fidelis will often update policies, rules, fingerprints, and macros if the Policy Feed is
enabled. The updates are provided to improve Insight policies. Version 0 will always reflect
the latest update from Fidelis. Version bak will be the prior version from Fidelis.
You may make changes to policies, rules, macros, and fingerprints as required. Your
changes are handled differently for each type of policy component.
When a Fidelis Policy feed update is downloaded:

• Policies will be merged with any changes you made. The result is a policy that
contains a combination of Fidelis rules, custom rules, and any rules you may have
removed from the policy.
• Fingerprints and macros in the policy feed will not overwrite your changes. If you would
like to revert to the latest Policy feed version of a fingerprint or macro, you can activate
version 0.
• Rules in the Policy Feed contain a Fidelis expression and a User Expression. The
Fidelis expression cannot be modified to avoid conflict with Policy Feed updates. You
may use the User expression to refine the rule. You may also change any aspect of
the rule, such as action, severity, and alert management group. When the Policy Feed
is updated, your changes will not be overwritten.
Rules have multiple possible states, as defined by the icon:

• Fidelis rules: the expression is from the Policy Feed. There is no user expression.
Any other change to the rule does not change the state from Fidelis rule.

• Fidelis Modified rules: This state represents a Fidelis rule where a user
expression has been added.

• Unsynced Fidelis rule: If the expression of your rule is different than the
expression in the latest version of the rule in the Policy Feed, you will have an
unsynced rule. This state cannot be achieved after Fidelis XPS version 8.0. To sync

Fidelis XPS Guide to Creating Policies 181

 the rule, edit the rule, click the Sync button to view the latest Fidelis expression, modify
or remove the user expression to achieve the desired rule logic and Save. Unsynced
rules will continue to operate correctly on the Fidelis XPS sensor. They will use your
most recent expression and not the most recent expression in the Fidelis Policy Feed
unless synced.

• Custom rules: A custom rule has a user expression, but no Fidelis expression.
This rule is not controlled in any way by the Fidelis Policy Feed.

Use Whitelist and Malware Exception rules to modify Fidelis policies.

You may have the need to adapt Fidelis policies to your environment. The best way to
perform this task is to create rules using the Whitelist or Malware Exception action and add
these rules to the Fidelis policy. Refer to Whitelist and Malware Exception in Define Rules
for details.

Review Fidelis IP Address Location fingerprints.

Many Fidelis rules will use an IP Address list to identify unauthorized network usage. For
these rules to be effective, you must identify normal operations in your network. For
example, to identify traffic that circumvents your network proxy or mail servers, you must
identify your proxy and mail servers.
By default, the Fidelis IP Address Location fingerprints are set to 0, which means they will
never fire. To put rules into use, you must modify these fingerprints.
To identify these fingerprints, go to Policies>Locations on the CommandPost GUI. Locate
all IP Address type fingerprints that begin with the Fidelis naming convention of “F.” (note:
sorting the page by type can help).

Performance Considerations
When writing custom policy, you have many choices available for fingerprints. The details of each
are described at Content, Channel, and Location fingerprints. Most fingerprints will not impact the
performance of the Fidelis XPS sensor. Those listed below can have a significant impact and
performance must be considered when you decide to use these fingerprint types.

B i n a ry Pr o fi l e a n d Y A R A
Binary Profile and YARA fingerprints are potentially executed at every stage of the decoding tree.
When an element of the node is discovered, it is first identified as a protocol, application, or file
format. Before any processing is performed, the Fidelis XPS sensor will apply any Binary Profile or
YARA analyzer against the buffer. Following the analysis, the protocol, application, or file format is
decoded and the processing of the tree continues.
Refer to The Impact of Time on the decoding tree in the Policy Overview. Note that processing of
the tree is repeated, over time, as new packets arrive. A single session may be evaluated hundreds
of times over the course of its lifetime. Binary Profile and YARA analysis can be expensive
procedures since they operate repeatedly. Best practices for use of these fingerprints include:

YARA fingerprints allow you to select multiple format types for processing. You should limit
the analysis to only those applicable to your use case.
Binary Profile fingerprints allow you to select a single Decoder Type. One of the options is
Any, which will apply the binary profile to every decoder. Avoid use of Any if possible.
Seek other options when possible. Use a channel fingerprint if the Fidelis XPS decoder will
extract the attribute data that need to match. Use a content fingerprint, such as Keywords, if
the data you need to match is available within the content of the file.

Fidelis XPS Guide to Creating Policies 182

R e g ul a r E x p r essi o ns
Refer to Regular Expressions in Fidelis XPS for details on how regular expressions are used within
Fidelis XPS sensors.
Note that content fingerprints are applied to the entire sliding window buffer of 32MB. Complex
expressions, applied to large data sets, and repeated for each session as it grows, can lead to
severe performance implications. Best practices for regular expressions content fingerprints:

Avoid using regular expressions as much as possible. Keywords, Keyword Lists, Keyword
Sequences, Identify Profile, and Partial File matching may be better alternatives.
Never use lookahead and lookbehind pattern syntax.
Never use conditional pattern syntax.
Avoid character repeat sequences, such as .* or .+

C h a n n el A tt ri b ut es
Channel fingerprints can identify attributes of the network session. Channel fingerprints are not
designed to match against very long lists of attributes. For example, a channel fingerprint can be
used to identify a URL, but it is not wise to create a long list of URLs within a channel fingerprint.

Use feeds when a long list of URLs, IP Addresses, email addresses, MD5 file hashes, or
domain names are required. Refer to Custom Feeds for details.
When a long list of attributes is required, which cannot be met by a custom feed, try to limit
the scope as much as possible.

K ey w or d L i st s
Keywords can be used to identify content. If you need to match a long list of keywords, use the
Keyword List fingerprint type. This fingerprint is optimized to handle long lists. The Keyword
fingerprint offers more customization options, but can be a performance problem if the number of
words gets into the 100’s.

Leverage XPS Decoders and Decoding Paths

A common mistake is to write fingerprints to identify network information that Fidelis XPS sensors
automatically identify. Use of a channel fingerprint based on decoder and session attributes is
highly recommended over other methods. Examples:

To identify a file type, use the format type parameter of a channel fingerprint. A common
mistake is to match based on file name (using an extension) or File Signature. The format
type parameter is the most efficient method to identify a file type.
To identify a protocol or application, use the application protocol parameter of a channel
fingerprint. A common mistake is to use Protocol Signature.
Review the list of available attributes at Protocol Decoder and Format Decoder tables. If
you need to match an attribute that is not extracted, a binary profile or Yara fingerprint will
be needed. Please notify Fidelis of your need so an enhancement request can be
considered for product improvement. Such an enhancement will result in more efficient rule
processing when made available.
Review the release notes of each Fidelis release. Often, a release will include an
enhancement that can eliminate the need for less efficient approaches to rules.

Use Data Transfer Direction to Your Advantage

Fidelis XPS sensors operate on sessions. Within a session, the direction of the data transfer can be
identified. The sensor will identify three IP Addresses for every session:

• The source IP Address refers to the location of the data before the transfer.

Fidelis XPS Guide to Creating Policies 183

 • The destination IP Address refers to the location of the data after the transfer.
• The host IP Address is an attempt to identify the IP Address of the system that is within
your enterprise. The identification of the host is highly accurate, but not guaranteed.
It is a common mistake to view the Fidelis system as a packet processing system, like a firewall or
an IPS. However, because the Fidelis XPS sensor is dealing with user sessions, more information
can be obtained. When creating policy that depends on IP Addresses, consider:

Does the direction of the transfer matter? If not, don’t use location fingerprints.
Are you attempting to detect only outgoing (or incoming) transfers on your sensor? If so,
consider the sensor network border to direct the sensor to ignore transfers in the opposite
direction.
Refer to chapter 13 in the User Guide.

Are you attempting to detect only outgoing (or incoming) transfers for a specific rule? If so,
consider the use of a Location fingerprint within your rule logic. Refer to Location for details.
If your rule logic depends on the identification of the client and server from a TCP session,
and not upon the direction of the data transfer, use Client and Server settings in your
location fingerprint. Refer to Location for details.

Alerts Per Rule Per Session

Content fingerprints are evaluated on every leaf of the decoding tree for every session. They may
lead to one alert per rule per data transfer.
Channel and location fingerprints are evaluated for each session. They may lead to one alert per
session.
When fingerprint types are combined within a rule, each is evaluated for each leaf of the decoding
tree and the result is the same as the content fingerprint with the possibility of one alert per rule per
data transfer.
To illustrate this effect, consider the examples below:

An email with five attachments could generate six alerts against a rule with a content
fingerprint. Each attachment, plus the body of the email, will be evaluated against every
content fingerprint.
A rule to simply alert on a protocol will generate only one alert. However, the specific
transaction that generates the alert could be any one of the many transactions in the
session. For example, consider a rule that identifies HTTP and a network user who opens a
browser and connects to a web site. The Fidelis XPS sensor would see the connection
request and the server response. The request or the response would generate the alert.
Fidelis XPS does not guarantee which transaction creates the alert in this case.
If direction matters when you are writing a rule to identify a certain protocol, use a location
fingerprint to force the alert generation based on the direction that is important for your use
case.
A rule to alert on all traffic involving an IP Address can be accomplished by using the
address in both the source and destination areas of a location fingerprint. If direction
matters, use only the source, destination, client, or server to identify the Location as
required.

Considerations for Prevention

Fidelis XPS Mail sensors are the only store-and-forward sensors available. With Fidelis XPS Mail,
prevention and quarantine actions are guaranteed. With all other sensor types, prevention is not
guaranteed. The following considerations can be used when creating policy when prevention is
important.

Understand the Impact of Time on the decoding process.

When using NOT in your expression, pay attention to how the Fidelis sensor will evaluate
the fingerprints to determine that they did not exist in the network traffic.

Fidelis XPS Guide to Creating Policies 184

 • For a channel attribute, NOT cannot be determined until the attribute is extracted. If
you want to whitelist a certain URL, create two fingerprints: one that matches the URL
and other that matches HTTP. By combining these two fingerprints with AND logic, you
can still prevent over other protocols.
Example, prevent credit card transfers except those involving certain web sites.
Bad: Credit_Card_Numbers AND NOT Authorized_URLs
Good: Credit_Card_Numbers AND NOT (HTTP AND Authorized_URLs)
The Bad case could not prevent credit card numbers over email or any other protocol
that does not extract a URL attribute.
This example would also apply to rules that use Whitelist or Malware Exception actions.
Using the same example, a policy may contain a rule that simply states
Credit_Card_Numbers, and a second rule with a Whitelist Action:
Bad: Authorized_URLs
Good: HTTP AND Authorized_URLs

• For a content fingerprint, NOT will defeat prevention. For example, consider a case
where we want to prevent social security number transfers. However, you discover that
your company uses nine digit part numbers, which can be confused with social
security numbers. One method to distinguish the two is to create a content fingerprint
that identifies keywords within the file that identifies the numbers as part numbers. You
can create a rule: Social_Security_Numbers AND NOT part_number_keywords.
However, to be effective, you will need to set delayed analysis on the
part_number_keywords fingerprint, which negates prevention.
If prevention is required, you must find an alternative approach. The best method is to
place all matching logic within a single content fingerprint.

• For identity information, review the Identity Profile fingerprint. Rather than using a
second fingerprint to identify part numbers, use additional data about the security
number to accurately identify social security numbers. Sensitivity, strictness, additional
patterns, thresholds, and the low pass filter are a few of the tools available to improve
matching of identity information.
• For unformatted data, such as keywords, review all aspects of the fingerprint.
Understanding scores, negative scores, limits, and thresholds are a few of the tools
available to the policy writer to improve accuracy and maintain prevention.
Understand the impact of Whitelist and Malware Exception rules
When using a rule with Whitelist as the action, consider this the same as modifying every
rule in the policy to add “AND NOT fingerprint” to the rule expression. The use of Whitelist
is much simpler than modifying and tuning every rule individually, however, the impact to
prevention is the same.
Rules that use Malware Exception will omit network traffic from malware analysis. There is
a timing aspect that must be considered when deploying these rules with prevention
enabled. To be effective, the malware exception rule must use Location and Channel
fingerprints only. When using channel fingerprints, the logic should specify the protocol in
addition to protocol attributes (see the credit card examples above).
Understand the data required to match your rule.
Because the Fidelis XPS sensor is not a store-and-forward device, rule analysis is
performed as data is streaming over the network. This leads to a race condition between
your rule and the network traffic. If the data necessary to match your rule requires the entire
network session, then prevention cannot be performed.

• MD5 file hash matches using Binary Profile fingerprints or MD5 feeds require that the
entire file cross the network. Prevention cannot be performed. Alternatives include
Exact Content and Partial Content fingerprints.

Fidelis XPS Guide to Creating Policies 185

 • If the violating data occurs late in the network session, prevention may not be possible.
Consider a small file, where they may only be three or four packets in the transaction.
If the violation is determined on the last packet, the file cannot be prevented.
• Open source YARA rules often assume that you are analyzing a file on disk. When
bring such a rule into Fidelis, analyze the rule content. You may need to rewrite the
rule to optimize it for network traffic when prevention is a goal.
• Refer to Performance Considerations. If the policies assigned to a sensor are sub-
optimal, the sensor may fall behind and prevention capability will be reduced.

Considerations for Collector Analytics

Refer to Collector Analytics. If cross-session analysis is important in your environment, you should:
Install and configure a Fidelis XPS Collector, if you have not done so.
Create frequency and sequence analytics as necessary.
• Use rule names as tags on the metadata to match against content. The Fidelis XPS
sensor can perform the analysis and will tag the metadata when an alert is created.
Refer to Combining Policies with Metadata.
Refer to chapter 7 in the User Guide.
• Create rules with the tag metadata action to tag the data without generating an alert
from the sensor.
The Collector Feed is a form of automated collector analytics. As new intelligence is gathered by
Fidelis, it will be added to the feed, which will generate an alert if matching data is found in your
Collector data.
Note: if an alert was already generated on a session where the matching data is found, a
second alert will not be generated.

Fidelis XPS Guide to Creating Policies 186

Appendix B: Air Gap License
If your enterprise intends to use intelligence provided by General Dynamics Fidelis Cybersecurity
Solutions, you must either provide internet connectivity for CommandPost or obtain an air gap
license. To obtain an air gap license contact Technical Support .
With an air gap license, you may access the intelligence behind the Fidelis Policy Feed, Fidelis
Feeds, and the Malware Detection Engine. These components require frequent updates to work
properly. With an air gap license, you can manually download the necessary information and install
it within a single CommandPost. To efficiently update your entire enterprise, you may create a
hierarchy of CommandPosts so that the manual install is limited to only a single device, the Master
CommandPost.
Once installed on the Master CommandPost, the data will propagate to all registered Subordinate
CommandPosts and to all sensors and Collectors registered to the Master or to any Subordinate
CommandPost.

Configuration Required for Air Gap Customers

The steps listed below will enable all components within your environment to function properly for
air gap operations. If you add new Subordinate CommandPosts at a future date, you will need to
revisit these steps, clicking the appropriate Save buttons to update the new CommandPosts.

1. Obtain and install a proper license at all CommandPosts within the enterprise. All Master
and Subordinate CommandPosts require a proper license to operate air gap functionality.

2. Ensure that all Master and Subordinate CommandPosts are at the same version of Fidelis
XPS to operate correctly.
3. Log into your Fidelis portal account and access the download center at:
[Link].
Download and follow the instructions in the [Link] file.

4. If you plan to use Fidelis Policies, access Policies>Insight>Policy Feed at the Master
CommandPost. You will see a single checkbox named Enable Fidelis Policies. Make the
selection and click Save. This action will also enable the Fidelis Feed at
Policies>Insight>Fidelis Feed. Fidelis policies will not operate correctly without enabling this
selection.
By enabling Fidelis Policies at the Master CommandPost, policies and Fidelis Feeds will
also be enabled at each Subordinate CommandPost. It is crucial that all CommandPosts
enable policies and feeds if you plan to use Fidelis policies.

5. If you plan to use the Malware Detection Engine, access System>Malware>Malware

Detection Engine at the Master and at each Subordinate CommandPost. Select Enable and
click Save. This setting will be saved to all Subordinate CommandPosts.
Execution Forensics will not operate for air gap licenses unless there is a local execution
forensics device. To inquire about a local device, contact Technical Support.

6. If you plan to use the Collector Feed, access Policies>Insight>Collector Feed. The enable
option will only be available if you have enabled either Fidelis Policies in step 4 or the
Malware Detection Engine in Step 5. Select Enable and click Save. The Collector Feed will
be available to any Fidelis XPS Collector available at the Master or any Subordinate
CommandPost.
Note: If you log into any Subordinate CommandPost with an air gap license, you will
not be able to change any of the settings above (except for the Malware Detection
Engine). This allows data to flow from a single source, the Master CommandPost.

Fidelis XPS Guide to Creating Policies 187

Daily Requirements for Air Gap Operations
Once properly configured, the threat intelligence from Fidelis must be updated daily for optimal use.
Each day follow this procedure:

1. From a workstation within internet access, log into your Fidelis portal account and access
the download center at: [Link].
2. Download the .tar files for the MDE database, the Fidelis Reputations Feed, and for policies
and policy components (policies, rules, fingerprints, and macros).

3. Follow the recommended procedure in the [Link] file to manually transfer the
downloaded data to the Master CommandPost.
4. On the Master CommandPost, visit Policies>Import and import the latest policy pack. If
there are new policies, you will need to access Policies>Assignments to assign policies to
sensors.
After downloading new policies, access Policies>Assignments and click Update All to
update all sensors registered to the Master CommandPost and all Subordinate
CommandPosts. Alternatively, access each sensor individually and update as required.

Fidelis XPS Guide to Creating Policies 188