Cisco Cisco Firepower Management Center 4000
26-18
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Understanding Packet Decoding
Detect Other TCP Options
Detects TCP headers with invalid TCP options not detected by other TCP decoding event options.
For example, this option detects TCP options with the incorrect length or with a length that places
the option data outside the TCP header.
For example, this option detects TCP options with the incorrect length or with a length that places
the option data outside the TCP header.
You can enable rules 116:54, 116:55, and 116:59 to generate events for this option. See
for more information.
Detect Protocol Header Anomalies
Detects other decoding errors not detected by the more specific IP and TCP decoder options. For
example, the decoder might detect a malformed data-link protocol header.
example, the decoder might detect a malformed data-link protocol header.
To generate events for this option, you can enable any packet decoder rule other than rules
specifically associated with other packet decoder options. See
specifically associated with other packet decoder options. See
for
more information
Note that the following rules generate events triggered by anomalous IPv6 traffic: 116:270 through
116:274, 116:275 through 116:283, 116:291, 116:292, 116:295, 116:296, 116:406, 116:458,
116:460, 116:461.
116:274, 116:275 through 116:283, 116:291, 116:292, 116:295, 116:296, 116:406, 116:458,
116:460, 116:461.
Note also the following rules associated with the inline normalization preprocessor
Minimum TTL
option:
–
You can enable rule 116:428 to generate an event when the system detects an IPv4 packet with
a TTL less than the specified minimum.
a TTL less than the specified minimum.
–
You can enable rule 116:270 to generate an event when the system detects an IPv6 packet with
a hop limit that is less than the specified minimum.
a hop limit that is less than the specified minimum.
See the inline normalization
Minimum TTL
option in
more information.
Configuring Packet Decoding
License:
Protection
You can configure packet decoding on the Packet Decoding configuration page. For more information
packet decoding configuration options, see
packet decoding configuration options, see
To configure packet decoding:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.