Cisco Cisco Firepower Management Center 4000

portscan detection when the TCP protocol is selected 

TCP intrusion rules that use the 

flow

, 

flowbits

, 

stream-size

, or 

stream-reassemble

 keyword

See the following sections for more information:

.

Protection

If you add the 

flow

 keyword with the 

established

 argument to an intrusion rule, the rules engine 

inspects packets matching the rule and the flow directive in stateful mode. Stateful mode evaluates only 
the traffic that is part of a TCP session established with a legitimate three-way handshake between a 
client and server. The following diagram illustrates a three-way handshake.

You can configure the system so that the preprocessor detects any TCP traffic that cannot be identified 
as part of an established TCP session, although this is not recommended for typical use because the 
events would quickly overload the system and not provide meaningful data.

Attacks like stick and snot use the system’s extensive rule sets and packet inspection against itself. These 
tools generate packets based on the patterns in Snort-based intrusion rules, and send them across the 
network. If your rules do not include the 

flow

 or 

flowbits

 keyword to configure them for stateful 

inspection, each packet will trigger the rule, overwhelming the system. Stateful inspection allows you to 
ignore these packets because they are not part of an established TCP session and do not provide 
meaningful information. When performing stateful inspection, the rules engine detects only those 
attacks that are part of an established TCP session, allowing analysts to focus on these rather than the 
volume of events caused by stick or snot.