Cisco Cisco Firepower Management Center 4000
26-29
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Perform Stream Reassembly on Both Services
Enables stream reassembly based on services for both the client and server side of the connection.
Use this option when you expect that malicious traffic for the same services may travel in either
direction between clients and servers.You can disable this option by not specifying services.
Use this option when you expect that malicious traffic for the same services may travel in either
direction between clients and servers.You can disable this option by not specifying services.
At least one detector must be enabled (see
) for
each service you select. By default, all Cisco-provided detectors are activated. If no detector is
enabled for an associated client application or application protocol, the system automatically
enables all Cisco-provided detectors for the application or application protocol; if none exist, the
system enables the most recently modified user-defined detector for the application or application
protocol.
enabled for an associated client application or application protocol, the system automatically
enables all Cisco-provided detectors for the application or application protocol; if none exist, the
system enables the most recently modified user-defined detector for the application or application
protocol.
This feature requires Protection and Control licenses.
Configuring TCP Stream Preprocessing
License:
Protection
You can configure TCP stream preprocessing, including TCP policies. For more information on the TCP
stream preprocessor configuration options, see
stream preprocessor configuration options, see
.
To configure the stream preprocessor to track TCP sessions:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
TCP Stream Configuration
under Transport/Network Layer
Preprocessors is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
Note
You cannot disable TCP stream preprocessing when the DNS, FTP/Telnet, HTTP Inspection,
SMTP, or SSL preprocessor is enabled, or when the DCE/RPC preprocessor is enabled with the
RPC over HTTP proxy, RPC over HTTP server, TCP, or SMB transport protocol selected, or
when portscan detection is enabled with the TCP protocol selected. Also, you should not disable
TCP stream preprocessing when you have TCP rules enabled that use the
SMTP, or SSL preprocessor is enabled, or when the DCE/RPC preprocessor is enabled with the
RPC over HTTP proxy, RPC over HTTP server, TCP, or SMB transport protocol selected, or
when portscan detection is enabled with the TCP protocol selected. Also, you should not disable
TCP stream preprocessing when you have TCP rules enabled that use the
flow
or
flowbits
keyword because these rules will not trigger unless TCP stream preprocessing is enabled.
The TCP Stream Configuration page appears. A message at the bottom of the page identifies the
intrusion policy layer that contains the configuration. See
intrusion policy layer that contains the configuration. See
for more information.