Cisco Cisco Firepower Management Center 2000
26-22
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Packet Type Performance Boost
Enables ignoring TCP traffic for all ports and application protocols that are not specified in enabled
rules, except when a TCP rule with both the source and destination ports set to
rules, except when a TCP rule with both the source and destination ports set to
any
has a
flow
or
flowbits
option. This performance improvement could result in missed attacks.
Maximum Active Responses
Specifies a maximum of 1 to 25 active responses per TCP connection. When additional traffic occurs
on a connection where an active response has been initiated, and the traffic occurs more than
on a connection where an active response has been initiated, and the traffic occurs more than
Minimum Response Seconds
after a previous active response, the system sends another active response
unless the specified maximum has been reached. A setting of 0 disables active responses triggered
by drop rules and disables additional active responses triggered by
by drop rules and disables additional active responses triggered by
resp
or
react
rules. For more
information, see
Minimum Response Seconds
Until
Maximum Active Responses
occur, specifies waiting 1 to 300 seconds before any additional
traffic on a connection where the system has initiated an active response results in a subsequent
active response.
active response.
Understanding Target-Based TCP Policies
License:
Protection
Different operating systems implement TCP in different ways. For example, Windows and some other
operating systems require a TCP reset segment to have a precise TCP sequence number to reset a session,
while Linux and other operating systems permit a range of sequence numbers. In this example, the
stream preprocessor must understand exactly how the destination host will respond to the reset based on
the sequence number. The stream preprocessor stops tracking the session only when the destination host
considers the reset to be valid, so an attack cannot evade detection by sending packets after the
preprocessor stops inspecting the stream. Other variations in TCP implementations include such things
as whether an operating system employs a TCP timestamp option and, if so, how it handles the
timestamp, and whether an operating system accepts or ignores data in a SYN packet.
operating systems require a TCP reset segment to have a precise TCP sequence number to reset a session,
while Linux and other operating systems permit a range of sequence numbers. In this example, the
stream preprocessor must understand exactly how the destination host will respond to the reset based on
the sequence number. The stream preprocessor stops tracking the session only when the destination host
considers the reset to be valid, so an attack cannot evade detection by sending packets after the
preprocessor stops inspecting the stream. Other variations in TCP implementations include such things
as whether an operating system employs a TCP timestamp option and, if so, how it handles the
timestamp, and whether an operating system accepts or ignores data in a SYN packet.
Different operating systems also reassemble overlapping TCP segments in different ways. Overlapping
TCP segments could reflect normal retransmissions of unacknowledged TCP traffic. They could also
represent an attempt by an attacker, aware of the operating system of one of your hosts, to evade
detection and exploit that host by sending malicious content hidden in overlapping segments. However,
you can configure the stream preprocessor to be aware of the operating systems running on your
monitored network segment so it reassembles segments the same way the target host does, allowing it to
identify the attack.
TCP segments could reflect normal retransmissions of unacknowledged TCP traffic. They could also
represent an attempt by an attacker, aware of the operating system of one of your hosts, to evade
detection and exploit that host by sending malicious content hidden in overlapping segments. However,
you can configure the stream preprocessor to be aware of the operating systems running on your
monitored network segment so it reassembles segments the same way the target host does, allowing it to
identify the attack.
You can create one or more TCP policies to tailor TCP stream inspection and reassembly to the different
operating systems on your monitored network segment. For each policy, you identify one of thirteen
operating system policies. You bind each TCP policy to a specific IP address or address block using as
many TCP policies as you need to identify any or all of the hosts using a different operating system. The
default TCP policy applies to any hosts on the monitored network that you do not identify in any other
TCP policy, so there is no need to specify an IP address, CIDR block, or prefix length for the default
TCP policy.
operating systems on your monitored network segment. For each policy, you identify one of thirteen
operating system policies. You bind each TCP policy to a specific IP address or address block using as
many TCP policies as you need to identify any or all of the hosts using a different operating system. The
default TCP policy applies to any hosts on the monitored network that you do not identify in any other
TCP policy, so there is no need to specify an IP address, CIDR block, or prefix length for the default
TCP policy.
Note that you can also use adaptive profiles to dynamically select target-based policies for the TCP
stream preprocessor using host operating system information for the target host in a packet. For more
information, see
stream preprocessor using host operating system information for the target host in a packet. For more
information, see
.
The following table identifies the operating system policies and the host operating systems that use each.