Cisco Cisco Firepower Management Center 4000
26-19
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Step 4
You have two choices, depending on whether
Packet Decoding
under Transport/Network Layer
Preprocessors is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Packet Decoding page appears. A message at the bottom of the page identifies the intrusion policy
layer that contains the configuration. See
layer that contains the configuration. See
for more
information.
Step 5
You can enable or disable any of the detection options on the Packet Decoding page. See
for more information.
Step 6
Optionally, click
Configure Rules for Packet Decoding
at the top of the page to display rules associated with
individual options.
Click
Back
to return to the Packet Decoding page.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Using TCP Stream Preprocessing
License:
Protection
The TCP protocol defines various states in which connections can exist. Each TCP connection is
identified by the source and destination IP addresses and source and destination ports. TCP permits only
one connection with the same connection parameter values to exist at a time.
identified by the source and destination IP addresses and source and destination ports. TCP permits only
one connection with the same connection parameter values to exist at a time.
Note that you must enable TCP stream preprocessor rules, which have a generator ID (GID) of 129, if
you want these rules to generate events. A link on the configuration page takes you to a filtered view of
TCP stream preprocessor rules on the intrusion policy Rules page, where you can enable and disable
rules and configure other rule actions. See
you want these rules to generate events. A link on the configuration page takes you to a filtered view of
TCP stream preprocessor rules on the intrusion policy Rules page, where you can enable and disable
rules and configure other rule actions. See
for more information.
Note also that when a rule that requires this preprocessor is enabled in an intrusion policy, you must
enable the preprocessor or choose to allow the system to enable it automatically before you can save the
policy. For more information, see
enable the preprocessor or choose to allow the system to enable it automatically before you can save the
policy. For more information, see
If you enable any of the following, TCP stream preprocessing must be enabled:
•
the DCE/RPC preprocessor when the RPC over HTTP proxy, RPC over HTTP server, TCP, or SMB
transport protocol is selected
transport protocol is selected
•
the DNS preprocessor
•
the FTP/Telnet preprocessor
•
the HTTP Inspect preprocessor
•
the IMAP preprocessor
•
the POP preprocessor
•
the SMTP preprocessor
•
the SSL preprocessor
•
the Modbus preprocessor
•
the DNP3 preprocessor