Cisco Cisco Firepower Management Center 2000
26-27
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
however, that reassembling additional traffic types (client, server, both) increases resource demands. For
more information,
more information,
,
,
See the following sections for more information:
•
•
Understanding Stream-Based Attacks
License:
Protection
Stream reassembly allows the rules engine to identify stream-based attacks, which it may not detect
when inspecting individual packets. You can specify which communication streams the rules engine
reassembles based on your network needs. For example, when monitoring traffic on your web servers,
you may only want to inspect client traffic because you are much less likely to receive malicious traffic
from your own web server.
when inspecting individual packets. You can specify which communication streams the rules engine
reassembles based on your network needs. For example, when monitoring traffic on your web servers,
you may only want to inspect client traffic because you are much less likely to receive malicious traffic
from your own web server.
Selecting Stream Reassembly Options
License:
Protection
In each TCP policy, you can specify a comma-separated list of ports to identify the traffic for the stream
preprocessor to reassemble. If adaptive profiles are enabled, you can also list services that identify traffic
to reassemble, either as an alternative to ports or in combination with ports. See
preprocessor to reassemble. If adaptive profiles are enabled, you can also list services that identify traffic
to reassemble, either as an alternative to ports or in combination with ports. See
for information on enabling and using adaptive profiles.
You can specify ports, services, or both. You can specify separate lists of ports for any combination of
client ports, server ports, and both. You can also specify separate lists of services for any combination
of client services, server services, and both. For example, assume that you wanted to reassemble the
following:
client ports, server ports, and both. You can also specify separate lists of services for any combination
of client services, server services, and both. For example, assume that you wanted to reassemble the
following:
•
SMTP (port 25) traffic from the client
•
FTP server responses (port 21)
•
telnet (port 23) traffic in both directions
You could configure the following:
•
For client ports, specify
23, 25
•
For server ports, specify
21, 23
Or, instead, you could configure the following:
•
For client ports, specify
25
•
For server ports, specify
21
•
For both ports, specify
23
Additionally, consider the following example which combines ports and services and would be valid
when adaptive profiles are enabled:
when adaptive profiles are enabled:
•
For client ports, specify
23