Cisco Cisco Firepower Management Center 4000
22-7
FireSIGHT System User Guide
Chapter 22 Using Advanced Settings in an Intrusion Policy
Understanding Preprocessors
•
Application Layer
Application layer protocols like HTTP, Telnet, FTP, SMTP, and RPC may have multiple ways of
representing the same data. This causes rules designed to check for specific packet payload content
to fail because the payload is represented differently in a packet than in the rule. Decoding HTTP,
Telnet, FTP, SMTP, and RPC packets and then normalizing their data to a standard representation
mitigates this challenge.
representing the same data. This causes rules designed to check for specific packet payload content
to fail because the payload is represented differently in a packet than in the rule. Decoding HTTP,
Telnet, FTP, SMTP, and RPC packets and then normalizing their data to a standard representation
mitigates this challenge.
Understanding Preprocessor Execution Order
License:
Protection
Protocol decoders, preprocessors, and rules run in a specific order so that they can perform IP transfer
layer protocol decoding first, then perform data normalization if needed, and then evaluate the resulting
packets against the currently enabled rules. The default policy configuration sets the preprocessors to
perform IP transfer layer protocol decoding first, then perform data normalization as needed.
layer protocol decoding first, then perform data normalization if needed, and then evaluate the resulting
packets against the currently enabled rules. The default policy configuration sets the preprocessors to
perform IP transfer layer protocol decoding first, then perform data normalization as needed.
This approach provides the following benefits:
•
The system can generate an intrusion event against fragmented IP datagrams that cannot be
defragmented, and then stop inspecting those packets.
defragmented, and then stop inspecting those packets.
•
The system can generate an event against TCP packets whose state cannot be validated, and then
stop inspecting those packets.
stop inspecting those packets.
•
The system can generate events against related UDP packets.
•
Only packets that can be appropriately tested by rules are normalized, optimizing performance by
ignoring TCP packets that cannot be reassembled and are not part of a valid TCP session.
ignoring TCP packets that cannot be reassembled and are not part of a valid TCP session.
•
The system can adapt IP defragmentation and stream preprocessing behavior to fit the operating
system formats on the target host using adaptive profiles, target-based policies, or both adaptive
profiles and target-based policies.
system formats on the target host using adaptive profiles, target-based policies, or both adaptive
profiles and target-based policies.
•
After preprocessing, traffic can be analyzed by the rules engine in the same way that it is analyzed
by the receiving host.
by the receiving host.