Cisco Cisco Firepower Management Center 4000
26-28
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
•
For client services, specify
smtp
•
For server ports, specify
21
•
For server services, specify
telnet
Although you can also specify
all
as the argument to provide reassembly for all ports, Cisco does not
recommend setting ports to
all
because it may increase the amount of traffic inspected by this
preprocessor and slow performance unnecessarily.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Perform Stream Reassembly on Client Ports
Enables stream reassembly based on ports for the client side of the connection. In other words, it
reassembles streams destined for web servers, mail servers, or other IP addresses typically defined
by the IP addresses specified in $HOME_NET. Use this option when you expect malicious traffic to
originate from clients.
reassembles streams destined for web servers, mail servers, or other IP addresses typically defined
by the IP addresses specified in $HOME_NET. Use this option when you expect malicious traffic to
originate from clients.
Perform Stream Reassembly on Client Services
Enables stream reassembly based on services for the client side of the connection. Use this option
when you expect malicious traffic to originate from clients.
when you expect malicious traffic to originate from clients.
for each client service you select. By default, all Cisco-provided detectors are activated. If no
detector is enabled for an associated client application, the system automatically enables all
Cisco-provided detectors for the application; if none exist, the system enables the most recently
modified user-defined detector for the application.
detector is enabled for an associated client application, the system automatically enables all
Cisco-provided detectors for the application; if none exist, the system enables the most recently
modified user-defined detector for the application.
This feature requires Protection and Control licenses.
Perform Stream Reassembly on Server Ports
Enables stream reassembly based on ports for the server side of the connection only. In other words,
it reassembles streams originating from web servers, mail servers, or other IP addresses typically
defined by the IP addresses specified in $EXTERNAL_NET. Use this option when you want to
watch for server side attacks. You can disable this option by not specifying ports.
it reassembles streams originating from web servers, mail servers, or other IP addresses typically
defined by the IP addresses specified in $EXTERNAL_NET. Use this option when you want to
watch for server side attacks. You can disable this option by not specifying ports.
Perform Stream Reassembly on Server Services
Enables stream reassembly based on services for the server side of the connection only. Use this
option when you want to watch for server side attacks. You can disable this option by not specifying
services.
option when you want to watch for server side attacks. You can disable this option by not specifying
services.
At least one detector must be enabled (see
) for
each service you select. By default, all Cisco-provided detectors are activated. If no detector is
enabled for a service, the system automatically enables all Cisco-provided detectors for the
associated application protocol; if none exist, the system enables the most recently modified
user-defined detector for the application protocol.
enabled for a service, the system automatically enables all Cisco-provided detectors for the
associated application protocol; if none exist, the system enables the most recently modified
user-defined detector for the application protocol.
This feature requires Protection and Control licenses.
Perform Stream Reassembly on Both Ports
Enables stream reassembly based on ports for both the client and server side of the connection. Use
this option when you expect that malicious traffic for the same ports may travel in either direction
between clients and servers. You can disable this option by not specifying ports.
this option when you expect that malicious traffic for the same ports may travel in either direction
between clients and servers. You can disable this option by not specifying ports.