Cisco Cisco Firepower Management Center 4000
22-8
FireSIGHT System User Guide
Chapter 22 Using Advanced Settings in an Intrusion Policy
Understanding Preprocessors
Caution
Preprocessors are executed based on your configuration. If you change the default configuration, the
system will not execute the preprocessors you disabled. If, for example, you disable transport layer
protocol preprocessors, the system runs content rules against packets that may have been logged and
removed from inspection by transport layer protocol preprocessors had they inspected the packets. Note
this does not change the order of execution.
system will not execute the preprocessors you disabled. If, for example, you disable transport layer
protocol preprocessors, the system runs content rules against packets that may have been logged and
removed from inspection by transport layer protocol preprocessors had they inspected the packets. Note
this does not change the order of execution.
Reading Preprocessor Events
License:
Protection
Preprocessors provide two functions: performing the specified action on the packet (for example,
decoding and normalizing HTTP traffic) and reporting the execution of specified preprocessor options
by generating an event whenever a packet triggers that preprocessor option and the associated
preprocessor rule is enabled (for example, you can enable the
decoding and normalizing HTTP traffic) and reporting the execution of specified preprocessor options
by generating an event whenever a packet triggers that preprocessor option and the associated
preprocessor rule is enabled (for example, you can enable the
Double Encoding
HTTP Inspect option
and the associated preprocessor rule with the HTTP Inspect generator (GID) 119 and the Snort ID (SID)
2 to generate an event when the preprocessor encounters IIS double-encoded traffic). Generating events
to report the execution of preprocessors helps you detect anomalous protocol exploits. For example,
attackers can craft overlapping IP fragments to cause a DoS attack on a host. The IP defragmentation
preprocessor can detect this type of attack and generate an intrusion event for it.
2 to generate an event when the preprocessor encounters IIS double-encoded traffic). Generating events
to report the execution of preprocessors helps you detect anomalous protocol exploits. For example,
attackers can craft overlapping IP fragments to cause a DoS attack on a host. The IP defragmentation
preprocessor can detect this type of attack and generate an intrusion event for it.
See the following sections for more information:
•
describes the information
contained in a preprocessor-generated event.
•
details the information provided by the
preprocessor generator ID.
Understanding the Preprocessor Event Packet Display
License:
Protection
Preprocessor events differ from rule events in that the packet display does not include a detailed rule
description for the event. Instead, the packet display shows the event message, the generator ID, Snort
ID, the packet header data, and the packet payload. This allows you to analyze the packet’s header
information, determine if its header options are being used and if they can exploit your system, and
inspect the packet payload. After the preprocessors analyze each packet, the rules engine executes
appropriate rules against it (if the preprocessor was able to defragment it and establish it as part of a valid
session) to further analyze potential content-level threats and report on them.
description for the event. Instead, the packet display shows the event message, the generator ID, Snort
ID, the packet header data, and the packet payload. This allows you to analyze the packet’s header
information, determine if its header options are being used and if they can exploit your system, and
inspect the packet payload. After the preprocessors analyze each packet, the rules engine executes
appropriate rules against it (if the preprocessor was able to defragment it and establish it as part of a valid
session) to further analyze potential content-level threats and report on them.
Reading Preprocessor Generator IDs
License:
Protection
Each preprocessor has its own Generator ID number, or GID, that indicates which preprocessor was
triggered by the packet. Some of the preprocessors also have related SIDs, which are ID numbers that
classify potential attacks. This helps you analyze events more effectively by categorizing the type of
event much the way a rule’s Snort ID (SID) can offer context for packets triggering rules. You can list
preprocessor rules by preprocessor in the Preprocessors filter group on the intrusion policy Rules page;
you can also list preprocessor rules in the preprocessor and packet decoder sub-groupings in the
Category filter group. See
triggered by the packet. Some of the preprocessors also have related SIDs, which are ID numbers that
classify potential attacks. This helps you analyze events more effectively by categorizing the type of
event much the way a rule’s Snort ID (SID) can offer context for packets triggering rules. You can list
preprocessor rules by preprocessor in the Preprocessors filter group on the intrusion policy Rules page;
you can also list preprocessor rules in the preprocessor and packet decoder sub-groupings in the
Category filter group. See
table
for more information.