Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
969
Using Transport & Network Layer Preprocessors
Using TCP Stream Preprocessing
Chapter 24
Selecting TCP Global Options
L
ICENSE
: Protection
This section describes the options that control how the TCP stream preprocessor
functions.
If no preprocessor rule is mentioned, the option is not associated with a
If no preprocessor rule is mentioned, the option is not associated with a
preprocessor rule.
Packet Type Performance Boost
Enables ignoring TCP traffic for all ports and application protocols that are not
specified in enabled rules, except when a TCP rule with both the source and
destination ports set to
any
has a
flow
or
flowbits
option. This performance
improvement could result in missed attacks.
Maximum Active Responses
Specifies a maximum of 1 to 25 active responses per TCP connection. When
additional traffic occurs on a connection where an active response has been
initiated, and the traffic occurs more than Minimum Response Seconds after a
previous active response, the system sends another active response unless
the specified maximum has been reached. A setting of 0 disables active
responses triggered by drop rules and disables additional active responses
triggered by resp or react rules. For more information, see
Minimum Response Seconds
Until Maximum Active Responses occur, specifies waiting 1 to 300 seconds
before any additional traffic on a connection where the system has initiated
an active response results in a subsequent active response.
Understanding Target-Based TCP Policies
L
ICENSE
: Protection
Different operating systems implement TCP in different ways. For example,
Windows and some other operating systems require a TCP reset segment to
have a precise TCP sequence number to reset a session, while Linux and other
operating systems permit a range of sequence numbers. In this example, the
stream preprocessor must understand exactly how the destination host will
respond to the reset based on the sequence number. The stream preprocessor
stops tracking the session only when the destination host considers the reset to
be valid, so an attack cannot evade detection by sending packets after the
preprocessor stops inspecting the stream. Other variations in TCP
implementations include such things as whether an operating system employs a
TCP timestamp option and, if so, how it handles the timestamp, and whether an
operating system accepts or ignores data in a SYN packet.