Cisco Cisco FirePOWER Appliance 8250
26-21
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Initiating Active Responses with Drop Rules
License:
Protection
In an inline deployment, the system responds to TCP or UDP drop rules by dropping the triggering
packet and blocking the session where the packet originated. In a passive deployment, the system cannot
drop the packet and does not block the session except with the use of active responses.
packet and blocking the session where the packet originated. In a passive deployment, the system cannot
drop the packet and does not block the session except with the use of active responses.
Tip
Because UDP data streams are not typically thought of in terms of sessions, see
for further explanation of how the stream preprocessor uses the source and
destination IP address fields in the encapsulating IP datagram header and the port fields in the UDP
header to determine the direction of flow and identify a UDP session.
header to determine the direction of flow and identify a UDP session.
You can configure the
Maximum Active Responses
option to initiate one or more active responses to more
precisely and specifically close a TCP connection or UDP session when an offending packet triggers a
TCP or UDP drop rule.
TCP or UDP drop rule.
When active responses are enabled in an inline deployment, the system responds to TCP drop rules by
dropping the triggering packet and inserting a TCP Reset (RST) packet in both the client and server
traffic. When active responses are enabled in a passive deployment, the system cannot drop the packet
but sends a TCP reset to both the client and server ends of a TCP connection. When active responses are
enabled in inline or passive deployments, the system closes a UDP session by sending an ICMP
unreachable packet to each end of the session. Active responses are most effective in inline deployments
because resets are more likely to arrive in time to affect the connection or session.
dropping the triggering packet and inserting a TCP Reset (RST) packet in both the client and server
traffic. When active responses are enabled in a passive deployment, the system cannot drop the packet
but sends a TCP reset to both the client and server ends of a TCP connection. When active responses are
enabled in inline or passive deployments, the system closes a UDP session by sending an ICMP
unreachable packet to each end of the session. Active responses are most effective in inline deployments
because resets are more likely to arrive in time to affect the connection or session.
Depending on how you configure the
Maximum Active Responses
option, the system can also initiate
additional active responses if it sees additional traffic from either end of the connection or session. The
system initiates each additional active response, up to a specified maximum, after a specified number of
seconds have elapsed since the previous response. Note that to initiate additional TCP resets you must
ensure that TCP Stream Configuration is enabled, and to initiate additional ICMP unreachable packets
you must ensure that UDP Stream Configuration is enabled. See
system initiates each additional active response, up to a specified maximum, after a specified number of
seconds have elapsed since the previous response. Note that to initiate additional TCP resets you must
ensure that TCP Stream Configuration is enabled, and to initiate additional ICMP unreachable packets
you must ensure that UDP Stream Configuration is enabled. See
for more information.
See
for information on setting the maximum number of
active responses.
Note that a triggered
resp
or
react
rule also initiates an active response regardless of the configuration of
Maximum Active Responses
; however,
Maximum Active Responses
control whether the system initiates
additional active responses for
resp
and
react
rules in the same way it controls the maximum number of
active responses for drop rules. See
for
more information.
You can also use the
config response
command to configure the active response interface to use and
the number of TCP resets to attempt in a passive deployment. See
for more information.
Selecting TCP Global Options
License:
Protection
This section describes the options that control how the TCP stream preprocessor functions. If no
preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
preprocessor rule is mentioned, the option is not associated with a preprocessor rule.