Cisco Cisco Firepower Management Center 2000
22-6
FireSIGHT System User Guide
Chapter 22 Using Advanced Settings in an Intrusion Policy
Understanding Preprocessors
Events or, optionally, to Drop and Generate events in an inline deployment, if you want the preprocessor
or packet decoder to log intrusion events. Note that a status message appears at the bottom of the Policy
Information page when you enable preprocessor rules and your policy contains unsaved changes. See
or packet decoder to log intrusion events. Note that a status message appears at the bottom of the Policy
Information page when you enable preprocessor rules and your policy contains unsaved changes. See
,
for more information.
In addition to preprocessors, the system also provides advanced settings for detecting anomalous traffic,
enhancing detection, applying a global rule threshold, tuning performance, and configuring external
SNMP, and syslog alerting.
enhancing detection, applying a global rule threshold, tuning performance, and configuring external
SNMP, and syslog alerting.
See the following sections for more information:
•
describes both normal traffic and the
inspection challenges experienced at the network layer, transport layer, and application layer.
•
explains the order of execution in
FireSIGHT System preprocessors.
•
describes preprocessor events and the information they
contain.
Meeting Traffic Challenges with Preprocessors
License:
Protection
The system is responsible for inspecting the traffic that traverses the segment of your network that you
want to monitor. Although this seems straightforward, variations in the way data is represented and the
characteristics inherent in the way data is transmitted can make the inspection of any traffic more
complex. The FireSIGHT System mitigates the challenges inherent in normal traffic, as well as those
inherent in packets designed to cause damage or to evade inspection.
want to monitor. Although this seems straightforward, variations in the way data is represented and the
characteristics inherent in the way data is transmitted can make the inspection of any traffic more
complex. The FireSIGHT System mitigates the challenges inherent in normal traffic, as well as those
inherent in packets designed to cause damage or to evade inspection.
Each layer of TCP/IP provides challenges:
•
Network and Link Layers
Normal traffic at the network layer can be fragmented. That is, IP datagrams can exceed the
maximum transmission unit and must be transported in smaller fragments. IP Datagrams that are
fragmented must be reconstructed before meaningful attack analysis can occur. Additionally,
attackers can use malicious IP fragmentation, including overlapping fragments, multiple zero-offset
fragments (the Jolt2 denial of service, or DoS, attack), and fragmented protocol headers, all of which
mask traffic you might not normally allow on your network. Additionally, the network layer can be
attacked by crafting packets with invalid, zero-length IP options, used to cause DoS attacks.
maximum transmission unit and must be transported in smaller fragments. IP Datagrams that are
fragmented must be reconstructed before meaningful attack analysis can occur. Additionally,
attackers can use malicious IP fragmentation, including overlapping fragments, multiple zero-offset
fragments (the Jolt2 denial of service, or DoS, attack), and fragmented protocol headers, all of which
mask traffic you might not normally allow on your network. Additionally, the network layer can be
attacked by crafting packets with invalid, zero-length IP options, used to cause DoS attacks.
•
Transport Layer
The transport layer is subject to TCP stream-based attacks, such as sending TCP packets with
overlapping sequence numbers to force the system to determine which sequence number is valid.
The transport layer can be open to TCP header option attacks such as spoofing a TCP packet and
changing header values to choke the TCP connection and propagate further attacks. Additionally,
TCP is subject to state-related attacks such as those produced by stick or snot, which generate TCP
packets that are not part of an established connection and which can trigger a large volume of rules,
creating a DoS attack against both the system and the analyst. Attackers can also launch subterfuge
attacks by transmitting TCP, UDP and ICMP packets with invalid checksums in an attempt to cause
the system to inspect packets that the destination host never receives. Reassembling TCP sessions
provides context for each packet, supporting effective analysis of traffic.
overlapping sequence numbers to force the system to determine which sequence number is valid.
The transport layer can be open to TCP header option attacks such as spoofing a TCP packet and
changing header values to choke the TCP connection and propagate further attacks. Additionally,
TCP is subject to state-related attacks such as those produced by stick or snot, which generate TCP
packets that are not part of an established connection and which can trigger a large volume of rules,
creating a DoS attack against both the system and the analyst. Attackers can also launch subterfuge
attacks by transmitting TCP, UDP and ICMP packets with invalid checksums in an attempt to cause
the system to inspect packets that the destination host never receives. Reassembling TCP sessions
provides context for each packet, supporting effective analysis of traffic.
Additionally, tracking associated UDP user datagrams allows the system greater specificity in
detecting attacks.
detecting attacks.