Cisco Cisco Firepower Management Center 4000
26-26
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Require TCP 3-Way Handshake
Specifies that sessions are treated as established only upon completion of a TCP three-way
handshake. Disable this option to increase performance, protect from SYN flood attacks, and permit
operation in a partially asynchronous environment. Enable it to avoid attacks that attempt to
generate false positives by sending information that is not part of an established TCP session.
handshake. Disable this option to increase performance, protect from SYN flood attacks, and permit
operation in a partially asynchronous environment. Enable it to avoid attacks that attempt to
generate false positives by sending information that is not part of an established TCP session.
You can enable rule 129:20 to generate events for this option. See
for more information.
3-Way Handshake Timeout
Specifies the number of seconds between 0 (unlimited) and 86400 (twenty-four hours) by which a
handshake must be completed when
handshake must be completed when
Require TCP 3-Way Handshake
is enabled. You must enable
Require
TCP 3-Way Handshake
to modify the value for this option.
Packet Size Performance Boost
Sets the preprocessor to not queue large packets in the reassembly buffer. This performance
improvement could result in missed attacks. Disable this option to protect against evasion attempts
using small packets of one to twenty bytes. Enable it when you are assured of no such attacks
because all traffic is comprised of very large packets.
improvement could result in missed attacks. Disable this option to protect against evasion attempts
using small packets of one to twenty bytes. Enable it when you are assured of no such attacks
because all traffic is comprised of very large packets.
Legacy Reassembly
Sets the stream preprocessor to emulate the deprecated Stream 4 preprocessor when reassembling
packets, which lets you compare events reassembled by the stream preprocessor to events based on
the same data stream reassembled by the Stream 4 preprocessor.
packets, which lets you compare events reassembled by the stream preprocessor to events based on
the same data stream reassembled by the Stream 4 preprocessor.
Asynchronous Network
Specifies whether the monitored network is an asynchronous network, that is, a network where the
system sees only half the traffic. When this option is enabled, the system does not reassemble TCP
streams to increase performance.
system sees only half the traffic. When this option is enabled, the system does not reassemble TCP
streams to increase performance.
Perform Stream Reassembly on Client Ports, Server Ports, Both Ports
Specifies for client ports, server ports, or both, a comma-separated list of ports to identify the traffic
for the stream preprocessor to reassemble. See
for the stream preprocessor to reassemble. See
Perform Stream Reassembly on Client Services, Server Services, Both Services
Specifies for client services, server services, or both, services to identify in the traffic for the stream
preprocessor to reassemble. See
preprocessor to reassemble. See
Reassembling TCP Streams
License:
Protection
The stream preprocessor collects and reassembles all the packets that are part of a TCP session’s
server-to-client communication stream, client-to-server communication stream, or both. This allows the
rules engine to inspect the stream as a single, reassembled entity rather than inspecting only the
individual packets that are part of a given stream.
server-to-client communication stream, client-to-server communication stream, or both. This allows the
rules engine to inspect the stream as a single, reassembled entity rather than inspecting only the
individual packets that are part of a given stream.
Note
Any port you add to the server-level FTP port list, or the DCE/RPC, HTTP, SMTP, Session Initiation
Protocol, POP, IMAP, or SSL port list should also be added in each TCP policy to the appropriate list of
TCP reassembly ports, depending on whether you are monitoring client or server traffic, or both. Note,
Protocol, POP, IMAP, or SSL port list should also be added in each TCP policy to the appropriate list of
TCP reassembly ports, depending on whether you are monitoring client or server traffic, or both. Note,