Cisco Cisco FirePOWER Appliance 8390
26-31
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using UDP Stream Preprocessing
Step 13
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Using UDP Stream Preprocessing
License:
Protection
UDP stream preprocessing occurs when the rules engine processes packets against a UDP rule that
includes the
includes the
flow
keyword (see
)
using any of the following arguments:
•
Established
•
To Client
•
From Client
•
To Server
•
From Server
UDP is a connectionless protocol that does not provide a means for two endpoints to establish a
communication channel, exchange data, and close the channel. UDP data streams are not typically
thought of in terms of sessions. However, the stream preprocessor uses the source and destination IP
address fields in the encapsulating IP datagram header and the port fields in the UDP header to determine
the direction of flow and identify a session. A session ends when a configurable timer is exceeded, or
when either endpoint receives an ICMP message that the other endpoint is unreachable or the requested
service is unavailable.
communication channel, exchange data, and close the channel. UDP data streams are not typically
thought of in terms of sessions. However, the stream preprocessor uses the source and destination IP
address fields in the encapsulating IP datagram header and the port fields in the UDP header to determine
the direction of flow and identify a session. A session ends when a configurable timer is exceeded, or
when either endpoint receives an ICMP message that the other endpoint is unreachable or the requested
service is unavailable.
Note that the system does not generate events related to UDP stream preprocessing; however, you can
enable related packet decoder rules to detect UDP protocol header anomalies. For information on events
generated by the packet decoder, see
enable related packet decoder rules to detect UDP protocol header anomalies. For information on events
generated by the packet decoder, see
Note also that UDP stream preprocessing can be automatically enabled when a rule that requires UDP
stream preprocessing is enabled. For more information, see
stream preprocessing is enabled. For more information, see
The following configurations require UDP stream preprocessing to be enabled:
•
DNS preprocessor
•
SIP preprocessor
•
DCE/RPC preprocessor with the UDP transport protocol selected
•
UDP intrusion rules that use the
flow
,
flowbits
,
or
stream-size
keyword
Configuring UDP Stream Preprocessing
License:
Protection
You can configure UDP stream preprocessing.
To configure the stream preprocessor to track UDP sessions:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.