Cisco Cisco Firepower Management Center 4000
26-16
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Understanding Packet Decoding
Decode GTP Data Channel
Decodes the encapsulated GTP (General Packet Radio Service [GPRS] Tunneling Protocol) data
channel. By default, the decoder decodes version 0 data on port 3386 and version 1 data on port
2152. You can use the
channel. By default, the decoder decodes version 0 data on port 3386 and version 1 data on port
2152. You can use the
GTP_PORTS
default variable to modify the ports that identify encapsulated GTP
traffic. See
for more information.
You can enable rules 116:297 and 116:298 to generate events for this option.
Detect Teredo on Non-Standard Ports
Inspects Teredo tunneling of IPv6 traffic that is identified on a UDP port other than port 3544.
The system always inspects IPv6 traffic when it is present. By default, IPv6 inspection includes the
4in6, 6in4, 6to4, and 6in6 tunneling schemes, and also includes Teredo tunneling when the UDP
header specifies port 3544.
4in6, 6in4, 6to4, and 6in6 tunneling schemes, and also includes Teredo tunneling when the UDP
header specifies port 3544.
In an IPv4 network, IPv4 hosts can use the Teredo protocol to tunnel IPv6 traffic through an IPv4
Network Address Translation (NAT) device. Teredo encapsulates IPv6 packets within IPv4 UDP
datagrams to permit IPv6 connectivity behind an IPv4 NAT device. The system normally uses UDP
port 3544 to identify Teredo traffic. However, an attacker could use a non-standard port in an attempt
to avoid detection. You can enable
Network Address Translation (NAT) device. Teredo encapsulates IPv6 packets within IPv4 UDP
datagrams to permit IPv6 connectivity behind an IPv4 NAT device. The system normally uses UDP
port 3544 to identify Teredo traffic. However, an attacker could use a non-standard port in an attempt
to avoid detection. You can enable
Detect Teredo on Non-Standard Ports
to cause the system to inspect
all UDP payloads for Teredo tunneling.
Teredo decoding occurs only on the first UDP header, and only when IPv4 is used for the outer
network layer. When a second UDP layer is present after the Teredo IPv6 layer because of UDP data
encapsulated in the IPv6 data, the rules engine uses UDP intrusion rules to analyze both the inner
and outer UDP layers.
network layer. When a second UDP layer is present after the Teredo IPv6 layer because of UDP data
encapsulated in the IPv6 data, the rules engine uses UDP intrusion rules to analyze both the inner
and outer UDP layers.
Note that intrusion rules 12065, 12066, 12067, and 12068 in the
policy-other
rule category detect, but
do not decode, Teredo traffic. Optionally, you can use these rules to drop Teredo traffic in an inline
deployment; however, you should ensure that these rules are disabled or set to generate events
without dropping traffic when you enable
deployment; however, you should ensure that these rules are disabled or set to generate events
without dropping traffic when you enable
Detect Teredo on Non-Standard Ports
for more information.
Detect Excessive Length Value
Detects when the packet header specifies a packet length that is greater than the actual packet length.
You can enable rules 116:6, 116:47, 116:97, and 116:275 to generate events for this option.
Detect Invalid IP Options
Detects invalid IP header options to identify exploits that use invalid IP options. For example, there
is a denial of service attack against a firewall which causes the system to freeze. The firewall
attempts to parse invalid Timestamp and Security IP options and fails to check for a zero length,
which causes an irrecoverable infinite loop. The rules engine identifies the zero length option, and
provides information you can use to mitigate the attack at the firewall.
is a denial of service attack against a firewall which causes the system to freeze. The firewall
attempts to parse invalid Timestamp and Security IP options and fails to check for a zero length,
which causes an irrecoverable infinite loop. The rules engine identifies the zero length option, and
provides information you can use to mitigate the attack at the firewall.
You can enable rules 116:4 and 116:5 to generate events for this option. See
for more information.
Detect Experimental TCP Options
Detects TCP headers with experimental TCP options. The following table describes these options.
TCP Option
Description
9
Partial Order Connection Permitted
10
Partial Order Service Profile