Cisco Cisco Firepower Management Center 4000

Save your policy, continue editing, discard your changes, revert to the default configuration settings in 
the base policy, or exit while leaving your changes in the system cache. See the 

 table for more information.

Protection

UDP stream preprocessing occurs when the rules engine processes packets against a UDP rule that 
includes the 

flow

 keyword (see 

) 

using any of the following arguments:

Established

To Client

From Client

To Server

From Server

UDP is a connectionless protocol that does not provide a means for two endpoints to establish a 
communication channel, exchange data, and close the channel. UDP data streams are not typically 
thought of in terms of sessions. However, the stream preprocessor uses the source and destination IP 
address fields in the encapsulating IP datagram header and the port fields in the UDP header to determine 
the direction of flow and identify a session. A session ends when a configurable timer is exceeded, or 
when either endpoint receives an ICMP message that the other endpoint is unreachable or the requested 
service is unavailable.

Note that the system does not generate events related to UDP stream preprocessing; however, you can 
enable related packet decoder rules to detect UDP protocol header anomalies. For information on events 
generated by the packet decoder, see 

Note also that UDP stream preprocessing can be automatically enabled when a rule that requires UDP 
stream preprocessing is enabled. For more information, see 

The following configurations require UDP stream preprocessing to be enabled:

DNS preprocessor

SIP preprocessor

DCE/RPC preprocessor with the UDP transport protocol selected

UDP intrusion rules that use the 

flow

, 

flowbits

,

 

or 

stream-size

 keyword

Protection

You can configure UDP stream preprocessing.

Admin/Intrusion Admin

Select