Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

969

Using Transport & Network Layer Preprocessors

Using TCP Stream Preprocessing

Chapter 24

Selecting TCP Global Options

ICENSE

: Protection

This section describes the options that control how the TCP stream preprocessor

functions.
If no preprocessor rule is mentioned, the option is not associated with a

preprocessor rule.

Packet Type Performance Boost

Enables ignoring TCP traffic for all ports and application protocols that are not

specified in enabled rules, except when a TCP rule with both the source and

destination ports set to

any

has a

flow

flowbits

option. This performance

improvement could result in missed attacks.

Maximum Active Responses

Specifies a maximum of 1 to 25 active responses per TCP connection. When

additional traffic occurs on a connection where an active response has been

initiated, and the traffic occurs more than Minimum Response Seconds after a

previous active response, the system sends another active response unless

the specified maximum has been reached. A setting of 0 disables active

responses triggered by drop rules and disables additional active responses

triggered by resp or react rules. For more information, see

Initiating Active

Responses with Drop Rules

on page 967 and

Initiating Active Responses

with Rule Keywords

on page 1189.

Minimum Response Seconds

Until Maximum Active Responses occur, specifies waiting 1 to 300 seconds

before any additional traffic on a connection where the system has initiated

an active response results in a subsequent active response.

Understanding Target-Based TCP Policies

ICENSE

: Protection

Different operating systems implement TCP in different ways. For example,

Windows and some other operating systems require a TCP reset segment to

have a precise TCP sequence number to reset a session, while Linux and other

operating systems permit a range of sequence numbers. In this example, the

stream preprocessor must understand exactly how the destination host will

respond to the reset based on the sequence number. The stream preprocessor

stops tracking the session only when the destination host considers the reset to

be valid, so an attack cannot evade detection by sending packets after the

preprocessor stops inspecting the stream. Other variations in TCP

implementations include such things as whether an operating system employs a

TCP timestamp option and, if so, how it handles the timestamp, and whether an

operating system accepts or ignores data in a SYN packet.