Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco FirePOWER Appliance 7115

Cisco Cisco FirePOWER Appliance 7115

Download
Seite von 2442
Version 5.3
Sourcefire 3D System User Guide
838
Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
Chapter 23
If no preprocessor rule is mentioned, the option is not associated with a 
preprocessor rule.
Maximum Fragment Size
When Enable Defragmentation is selected, specifies the maximum DCE/RPC 
fragment length allowed from 1514 to 65535 bytes. The preprocessor 
truncates larger fragments for processing purposes to the specified size 
before defragmenting but does not alter the actual packet. A blank field 
disables this option.
Reassembly Threshold
When Enable Defragmentation is selected, 0 disables this option, or 1 to 65535 
bytes specifies a minimum number of fragmented DCE/RPC bytes and, if 
applicable, segmented SMB bytes to queue before sending a reassembled 
packet to the rules engine. A low value increases the likelihood of early 
detection but could have a negative impact on performance. You should test 
for performance impact if you enable this option.
Enable Defragmentation
Specifies whether to defragment fragmented DCE/RPC traffic. When 
disabled, the preprocessor still detects anomalies and sends DCE/RPC data 
to the rules engine, but at the risk of missing exploits in fragmented DCE/RPC 
data.
Although this option provides the flexibility of not defragmenting DCE/RPC 
traffic, most DCE/RPC exploits attempt to take advantage of fragmentation to 
hide the exploit. Disabling this option would bypass most known exploits, 
resulting in a large number of false negatives.
Memory Cap Reached
Detects when the maximum memory limit allocated to the preprocessor is 
reached or exceeded. When the maximum memory cap is reached or 
exceeded, the preprocessor frees all pending data associated with the 
session that caused the memory cap event and ignores the rest of that 
session.
You can enable rule 133:1 to generate events for this option. See 
 on page 770 for more information.
Auto-Detect Policy on SMB Session
Detects the Windows or Samba version that is identified in SMB 
Session 
Setup AndX
 requests and responses. When the detected version is different 
from the Windows or Samba version configured for the Policy configuration 
option, the detected version overrides the configured version for that session