Cisco Cisco FirePOWER Appliance 7010
26-13
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Defragmenting IP Packets
Selecting Defragmentation Options
License:
Protection
You can choose to simply enable or disable IP defragmentation; however, Cisco recommends that you
specify the behavior of the enabled IP defragmentation preprocessor at a more granular level.
specify the behavior of the enabled IP defragmentation preprocessor at a more granular level.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
You can configure the global
Preallocated Fragments
option:
Preallocated Fragments
The maximum number of individual fragments that the preprocessor can process at once. Specifying
the number of fragment nodes to preallocate enables static memory allocation.
the number of fragment nodes to preallocate enables static memory allocation.
Caution
Processing an individual fragment uses approximately 1550 bytes of memory. If the preprocessor
requires more memory to process the individual fragments than the predetermined allowable memory
limit for the managed device, the memory limit for the device takes precedence.
requires more memory to process the individual fragments than the predetermined allowable memory
limit for the managed device, the memory limit for the device takes precedence.
You can configure the following options for each IP defragmentation policy:
Network
The IP address of the host or hosts to which you want to apply the defragmentation policy.
You can specify a single IP address or address block, or a comma-separated list of either or both.
You can specify up to 255 total profiles, including the default policy. For information on using IPv4
and IPv6 address blocks in the FireSIGHT System, see
You can specify up to 255 total profiles, including the default policy. For information on using IPv4
and IPv6 address blocks in the FireSIGHT System, see
.
Note that the
default
setting in the default policy specifies all IP addresses on your monitored
network segment that are not covered by another target-based policy. Therefore, you cannot and do
not need to specify an IP address or CIDR block/prefix length for the default policy, and you cannot
leave this setting blank in another policy or use address notation to represent
not need to specify an IP address or CIDR block/prefix length for the default policy, and you cannot
leave this setting blank in another policy or use address notation to represent
any
(for example,
0.0.0.0/0 or ::/0).
Policy
The defragmentation policy you want to use for a set of hosts on your monitored network segment.
You can choose among seven policies: BSD, BSD-Right, First, Linux, Last, Solaris, and Windows.
See
You can choose among seven policies: BSD, BSD-Right, First, Linux, Last, Solaris, and Windows.
See
for detailed information on these policies.
Timeout
The maximum amount of time, in seconds, that the preprocessor engine can use when reassembling
a fragmented packet. If the packet cannot be reassembled within the specified time period, the
preprocessor engine stops attempting to reassemble the packet and discards received fragments.
a fragmented packet. If the packet cannot be reassembled within the specified time period, the
preprocessor engine stops attempting to reassemble the packet and discards received fragments.
Minimum TTL
Specifies the minimum acceptable TTL value a packet may have. This option detects TTL-based
insertion attacks.
insertion attacks.
You can enable rule 123:1 to generate events for this option. See
for
more information.
Detect Anomalies
Identifies fragmentation problems such as overlapping fragments.