Stream reassembly allows the rules engine to identify stream-based attacks, which it may not detect
when inspecting individual packets. You can specify which communication streams the rules engine
reassembles based on your network needs. For example, when monitoring traffic on your web servers,
you may only want to inspect client traffic because you are much less likely to receive malicious traffic
from your own web server.

Selecting Stream Reassembly Options

License:

Protection

In each TCP policy, you can specify a comma-separated list of ports to identify the traffic for the stream
preprocessor to reassemble. If adaptive profiles are enabled, you can also list services that identify traffic
to reassemble, either as an alternative to ports or in combination with ports. See

Using Adaptive Profiles,

page 29-1

for information on enabling and using adaptive profiles.

You can specify ports, services, or both. You can specify separate lists of ports for any combination of
client ports, server ports, and both. You can also specify separate lists of services for any combination
of client services, server services, and both. For example, assume that you wanted to reassemble the
following:

•

SMTP (port 25) traffic from the client

•

FTP server responses (port 21)

•

telnet (port 23) traffic in both directions

You could configure the following:

•

For client ports, specify

23, 25

•

For server ports, specify

21, 23

Or, instead, you could configure the following:

•

For client ports, specify

•

For server ports, specify

•

For both ports, specify

Additionally, consider the following example which combines ports and services and would be valid
when adaptive profiles are enabled:

•

For client ports, specify