Cisco Cisco Firepower Management Center 4000
26-7
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Normalizing Inline Traffic
•
enabling the
Normalize TCP Excess Payload
option removes data in SYN and RST packets, and trims
the Data field to the size specified in the Window field, or to the Maximum Segment Size (MSS) if
the payload is longer than MSS
the payload is longer than MSS
•
enabling the
Explicit Congestion Notification
option clears ECN flags on a per-packet basis regardless
of negotiation, or on a per-stream basis if usage was not negotiated
See
for more information.
Configuring Inline Normalization
License:
Protection
You can configure the inline normalization preprocessor to normalize IPv4, IPv6, ICMPv4, ICMPv6,
and TCP traffic in any combination. In addition to the base normalizations provided when you enable
normalization of each traffic type, specific optional normalizations are available for all protocols except
ICMP; this includes using the
and TCP traffic in any combination. In addition to the base normalizations provided when you enable
normalization of each traffic type, specific optional normalizations are available for all protocols except
ICMP; this includes using the
Reset TTL
option to enable TTL normalization when IPv4 normalization is
enabled and IPv6 Hop Limit normalization when IPv6 normalization is enabled.
In addition to enabling and configuring the inline normalization preprocessor, you must also ensure the
following or the preprocessor will not normalize traffic:
following or the preprocessor will not normalize traffic:
•
your policy must be set to drop traffic in inline deployments; see
•
you must apply your policy to an inline set; see
You must also ensure that the TCP stream preprocessor is enabled when you enable TCP normalization;
see
see
.
Minimum TTL
When
Reset TTL
is greater than or equal to the value 1 to 255 set for this option, specifies the
following:
–
the minimum value the system will permit in the IPv4 Time to Live (TTL) field when
Normalize
IPv4
is enabled; a lower value results in normalizing the packet value for TTL to the value set
for
Reset TTL
–
the minimum value the system will permit in the IPv6 Hop Limit field when
Normalize IPv6
is
enabled; a lower value results in normalizing the packet value for Hop Limit to the value set for
Reset TTL
The system assumes a value of 1 when the field is empty.
Note that you can enable the following rules in the decoder rule category to generate events for this
option:
option:
–
You can enable rule 116:428 to generate an event when the system detects an IPv4 packet with
a TTL less than the specified minimum.
a TTL less than the specified minimum.
–
You can enable rule 116:270 to generate an event when the system detects an IPv6 packet with
a hop limit that is less than the specified minimum.
a hop limit that is less than the specified minimum.
See the packet decoder
Detect Protocol Header Anomalies
option in
for more information.
Reset TTL
When set to a value 1 to 255 that is greater than or equal to
Minimum TTL
, normalizes the following:
–
the IPv4 TTL field when
Normalize IPv4
is enabled