Cisco Cisco Firepower Management Center 4000

For example, you could use 

client, >=, 5001216 

as the argument for the 

stream_size

 keyword to 

detect a TCP stream traveling from a client to a server and greater than or equal to 5001216 bytes.

Protection

You can use the

 stream_reassemble

 keyword to enable or disable TCP stream reassembly for a single 

connection when inspected traffic on the connection matches the conditions of the rule. Optionally, you 
can use this keyword multiple times in a rule.

Use the following syntax to enable or disable stream reassembly:

enable|disable, server|client|both, option, option

The following table describes the optional arguments you can use with the 

stream_reassemble

 keyword. 

For example, the following rule disables TCP client-side stream reassembly without generating an event 
on the connection where a 200 OK status code is detected in an HTTP response:

alert tcp any 80 -> any any (flow:to_client, established; content: “200 OK”; 

stream_reassemble:disable, client, noalert

Note that the TCP stream preprocessor must be enabled to allow processing of rules using the 

stream_reassemble

 keyword. When the TCP stream preprocessor is disabled and you enable rules that 

use this keyword, you are prompted whether to enable the preprocessor when you save the policy. See 

.

Admin/Intrusion Admin

On the Create Rule page, select 

stream_reassemble

 in the drop-down list and click 

.

The 

stream_reassemble

 section appears.

=

equal to

!=

not equal to

>

greater than

<

less than

>=

 greater than or equal to

<=

less than or equal to

noalert

Generate no events regardless of any other detection options specified in the rule.

fastpath

Ignore the rest of the connection traffic when there is a match.