Cisco Cisco Firepower Management Center 4000
26-25
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Stateful Inspection Anomalies
Detects anomalous behavior in the TCP stack. When accompanying preprocessor rules are enabled,
this may generate many events if TCP/IP stacks are poorly written.
this may generate many events if TCP/IP stacks are poorly written.
You can enable the following rules to generate events for this option:
–
129:1 through 129:5
–
129:6 (Mac OS only)
–
129:8 through 129:11
–
129:13 through 129:19
See
for more information:
TCP Session Hijacking
Detects TCP session hijacking by validating the hardware (MAC) addresses detected from both
sides of a TCP connection during the 3-way handshake against subsequent packets received on the
session. When the MAC address for one side or the other does not match, if
sides of a TCP connection during the 3-way handshake against subsequent packets received on the
session. When the MAC address for one side or the other does not match, if
Stateful Inspection
Anomalies
is enabled and one of the two corresponding preprocessor rules are enabled, the system
generates events.
You can enable rules 129:9 and 129:10 to generate events for this option. See
for more information.
Consecutive Small Segments
When
Stateful Inspection Anomalies
is enabled, specifies a maximum number of 1 to 2048 consecutive
small TCP segments allowed. Setting the value to 0 disables checking for consecutive small
segments.
segments.
You must set this option together with the
Small Segment Size
option, either disabling both or setting
a non-zero value for both. Note that receiving as many as 2000 consecutive segments, even if each
segment was 1 byte in length, without an intervening ACK would be far more consecutive segments
than you would normally expect.
segment was 1 byte in length, without an intervening ACK would be far more consecutive segments
than you would normally expect.
You can enable rule 129:12 to generate events for this option. See
for more information.
Small Segment Size
When
Stateful Inspection Anomalies
is enabled, specifies the 1 to 2048 byte TCP segment size that is
considered small. Setting the value to 0 disables specifying the size of a small segment.
You must set this option together with the
Consecutive Small Segments
option, either disabling both or
setting a non-zero value for both. Note that a 2048 byte TCP segment is larger than a normal 1500
byte Ethernet frame.
byte Ethernet frame.
Ports Ignoring Small Segments
When
Stateful Inspection Anomalies
,
Consecutive Small Segments
, and
Small Segment Size
are enabled,
optionally specifies a comma-separated list of one or more ports that ignore small TCP segment
detection. Leaving this option blank specifies that no ports are ignored.
detection. Leaving this option blank specifies that no ports are ignored.
You can add any port to the list, but the list only affects ports specified in one of the
Perform Stream
Reassembly on
port lists in the TCP policy.