Cisco Cisco FirePOWER Appliance 7030
22-5
FireSIGHT System User Guide
Chapter 22 Using Advanced Settings in an Intrusion Policy
Understanding Preprocessors
To access the configuration page for an advanced setting that is enabled, you can also expand
Advanced
Settings
in the navigation panel on the left, then click the name of the advanced setting.
Tip
You cannot disable the Performance Statistics Configuration advanced setting. This ensures that Support
can troubleshoot your system.
can troubleshoot your system.
Step 4
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Understanding Preprocessors
License:
Protection
Preprocessors reformat traffic to make sure the rules engine reads the traffic in the same format it will
be received by the host. Without preprocessing, the system cannot appropriately evaluate traffic because
protocol differences make pattern matching impossible. Cisco preprocessors normalize traffic and help
identify network layer and transport layer protocol anomalies by identifying inappropriate header
options, defragmenting IP datagrams, providing TCP stateful inspection and stream reassembly,
providing UDP stream preprocessing, resolving application protocol command syntax, and validating
checksums.
be received by the host. Without preprocessing, the system cannot appropriately evaluate traffic because
protocol differences make pattern matching impossible. Cisco preprocessors normalize traffic and help
identify network layer and transport layer protocol anomalies by identifying inappropriate header
options, defragmenting IP datagrams, providing TCP stateful inspection and stream reassembly,
providing UDP stream preprocessing, resolving application protocol command syntax, and validating
checksums.
You can configure these preprocessors to ensure that the packets the system analyzes resemble, as
closely as possible, the packets processed by the hosts on your network. Each preprocessor has a variety
of options and settings that you can configure to meet the needs of your network environment, allowing
you to minimize both false positives and false negatives and to optimize performance by executing only
those preprocessors appropriate to your network traffic.
closely as possible, the packets processed by the hosts on your network. Each preprocessor has a variety
of options and settings that you can configure to meet the needs of your network environment, allowing
you to minimize both false positives and false negatives and to optimize performance by executing only
those preprocessors appropriate to your network traffic.
In general, as intrusion detection and prevention systems become important components in securing
networks, the systems themselves become targets for attackers. For example, attackers sometimes
attempt to purposefully create denial of service attacks by sending SYN packets with spoofed source IP
addresses, causing the recipient server to allocate memory for the pending TCP connection. The server
then sends a SYN-ACK to the originating IP address to establish a TCP session. Because attackers do
not use legitimate IP addresses, the SYN-ACK message times out and the server resends it, keeping
memory allocated for a longer period of time. These half-open TCP connections drain system resources.
Because most systems attempt to perform stateful inspection on TCP sessions, the system may go into
a denial-of-service condition while attempting to establish the state of these open TCP sessions.
However, the transport layer preprocessor, included as part of the system, detects the state of a TCP
connection, and can dispense with half-open connections and prevent overloading the rules engine with
false connections.
networks, the systems themselves become targets for attackers. For example, attackers sometimes
attempt to purposefully create denial of service attacks by sending SYN packets with spoofed source IP
addresses, causing the recipient server to allocate memory for the pending TCP connection. The server
then sends a SYN-ACK to the originating IP address to establish a TCP session. Because attackers do
not use legitimate IP addresses, the SYN-ACK message times out and the server resends it, keeping
memory allocated for a longer period of time. These half-open TCP connections drain system resources.
Because most systems attempt to perform stateful inspection on TCP sessions, the system may go into
a denial-of-service condition while attempting to establish the state of these open TCP sessions.
However, the transport layer preprocessor, included as part of the system, detects the state of a TCP
connection, and can dispense with half-open connections and prevent overloading the rules engine with
false connections.
Preprocessor options can protect you from attacks against the managed device itself, ensuring higher
availability and better security for your network. Many preprocessor options are associated with
preprocessor rules that you can enable to generate events when triggered. If you deploy your FireSIGHT
System inline, you can set the rule state for preprocessor rules in your inline intrusion policy to drop
malicious packets. For more information on configuring rules to generate events and, in an inline
deployment, to drop packets, see
availability and better security for your network. Many preprocessor options are associated with
preprocessor rules that you can enable to generate events when triggered. If you deploy your FireSIGHT
System inline, you can set the rule state for preprocessor rules in your inline intrusion policy to drop
malicious packets. For more information on configuring rules to generate events and, in an inline
deployment, to drop packets, see
.
You can configure rule state, thresholding, suppression, rate-based rule state, alerting, and rule
comments for preprocessor rules. Preprocessor rules are listed by preprocessor in the Preprocessors filter
group on the intrusion policy Rules page, and also in the preprocessor and packet decoder sub-groupings
in the Category filter group. You must set the rule state of preprocessor and decoder rules to Generate
comments for preprocessor rules. Preprocessor rules are listed by preprocessor in the Preprocessors filter
group on the intrusion policy Rules page, and also in the preprocessor and packet decoder sub-groupings
in the Category filter group. You must set the rule state of preprocessor and decoder rules to Generate