Cisco Cisco FirePOWER Appliance 8370
26-24
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Note that the
default
setting in the default policy specifies all IP addresses on your monitored
network segment that are not covered by another target-based policy. Therefore, you cannot and do
not need to specify an IP address or CIDR block/prefix length for the default policy, and you cannot
leave this setting blank in another policy or use address notation to represent
not need to specify an IP address or CIDR block/prefix length for the default policy, and you cannot
leave this setting blank in another policy or use address notation to represent
any
(for example,
0.0.0.0/0 or ::/0).
Policy
Identifies the TCP policy operating system of the target host or hosts. If you select a policy other
than
than
Mac OS
, the system removes the data from the synchronization (SYN) packets and disables
event generation for rule 129:2.
For more information, see
.
Timeout
The number of seconds between 1 and 86400 the rules engine keeps an inactive stream in the state
table. If the stream is not reassembled in the specified time, the rules engine deletes it from the state
table.
table. If the stream is not reassembled in the specified time, the rules engine deletes it from the state
table.
Note
If your managed device is deployed on a segment where the network traffic is likely to reach
the device’s bandwidth limits, you should consider setting this value higher (for example, to
600 seconds) to lower the amount of processing overhead.
the device’s bandwidth limits, you should consider setting this value higher (for example, to
600 seconds) to lower the amount of processing overhead.
Maximum TCP Window
Specifies the maximum TCP window size between 1 and 1073725440 bytes allowed as specified by
a receiving host. Setting the value to 0 disables checking for the TCP window size.
a receiving host. Setting the value to 0 disables checking for the TCP window size.
Caution
The upper limit is the maximum window size permitted by RFC, and is intended to prevent an attacker
from evading detection, but setting a significantly large maximum window size could result in a
self-imposed denial of service.
from evading detection, but setting a significantly large maximum window size could result in a
self-imposed denial of service.
You can enable rule 129:6 to generate events for this option. See
for
more information.
Overlap Limit
Specifies that when the configured number between 0 (unlimited) and 255 of overlapping segments
in a session has been detected, segment reassembly stops for that session and, if
in a session has been detected, segment reassembly stops for that session and, if
Stateful Inspection
Anomalies
is enabled and the accompanying preprocessor rule is enabled, an event is generated.
You can enable rule 129:7 to generate events for this option. See
for
more information.
Flush Factor
In an inline deployment, specifies that when a segment of decreased size has been detected
subsequent to the configured number between 1 and 2048 of segments of non-decreasing size, the
system flushes segment data accumulated for detection. Setting the value to 0 disables detection of
this segment pattern, which can indicate the end of a request or response. Note that you must enable
the Inline Normalization
subsequent to the configured number between 1 and 2048 of segments of non-decreasing size, the
system flushes segment data accumulated for detection. Setting the value to 0 disables detection of
this segment pattern, which can indicate the end of a request or response. Note that you must enable
the Inline Normalization
Normalize TCP
option for this option the be effective. See
for more information.