Cisco Cisco FirePOWER Appliance 7030
26-20
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
•
portscan detection when the TCP protocol is selected
•
TCP intrusion rules that use the
flow
,
flowbits
,
stream-size
, or
stream-reassemble
keyword
See the following sections for more information:
•
•
•
•
.
•
•
•
Understanding State-Related TCP Exploits
License:
Protection
If you add the
flow
keyword with the
established
argument to an intrusion rule, the rules engine
inspects packets matching the rule and the flow directive in stateful mode. Stateful mode evaluates only
the traffic that is part of a TCP session established with a legitimate three-way handshake between a
client and server. The following diagram illustrates a three-way handshake.
the traffic that is part of a TCP session established with a legitimate three-way handshake between a
client and server. The following diagram illustrates a three-way handshake.
You can configure the system so that the preprocessor detects any TCP traffic that cannot be identified
as part of an established TCP session, although this is not recommended for typical use because the
events would quickly overload the system and not provide meaningful data.
as part of an established TCP session, although this is not recommended for typical use because the
events would quickly overload the system and not provide meaningful data.
Attacks like stick and snot use the system’s extensive rule sets and packet inspection against itself. These
tools generate packets based on the patterns in Snort-based intrusion rules, and send them across the
network. If your rules do not include the
tools generate packets based on the patterns in Snort-based intrusion rules, and send them across the
network. If your rules do not include the
flow
or
flowbits
keyword to configure them for stateful
inspection, each packet will trigger the rule, overwhelming the system. Stateful inspection allows you to
ignore these packets because they are not part of an established TCP session and do not provide
meaningful information. When performing stateful inspection, the rules engine detects only those
attacks that are part of an established TCP session, allowing analysts to focus on these rather than the
volume of events caused by stick or snot.
ignore these packets because they are not part of an established TCP session and do not provide
meaningful information. When performing stateful inspection, the rules engine detects only those
attacks that are part of an established TCP session, allowing analysts to focus on these rather than the
volume of events caused by stick or snot.