Cisco Cisco FirePOWER Appliance 8360
26-6
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Normalizing Inline Traffic
•
clears the 3-bit Reserved field in the TCP header
•
clears the 16-bit Urgent Pointer field if the urgent (URG) control bit is not set
•
clears the Urgent Pointer field and the URG control bit if there is no payload
•
clears the urgent control bit if the urgent pointer is not set
•
clears any option padding bytes
•
blocks a subsequent SYN that does not have the same sequence number as the original SYN
Dropped TCP Packets
When you enable
Normalize TCP
, the system drops the following without generating an event:
•
retransmitted copies of previously dropped packets
•
traffic that attempts to continue a previously dropped session
•
any packet that matches any of the following TCP stream preprocessor rules, regardless of whether
the rules are enabled:
the rules are enabled:
The Blocked Packets performance graph tracks the number of packets dropped as the result of this
options being enabled. See
options being enabled. See
more information.
Automatically Allowed TCP Options
When you enable
Normalize TCP
and do not specify
any
for
Allow These TCP Options
, the system performs
the following normalizations:
•
except MSS, Window Scale, Time Stamp, and any explicitly allowed options, sets all option bytes
to No Operation (TCP Option 1)
to No Operation (TCP Option 1)
•
sets the Time Stamp octets to No Operation if Time Stamp is present but invalid, or valid but not
negotiated
negotiated
•
drops the packet if Time Stamp is negotiated but not present
•
clears the Time Stamp Echo Reply (TSecr) option field if the Acknowledgement (ACK) control bit
is not set
is not set
•
sets the MSS and Window Scale options to No Operation (TCP Option 1) if the Synchronization
(SYN) control bit is not set
(SYN) control bit is not set
See
for more information.
Normalizations Associated with Specific TCP Options
The system performs the following optional normalizations when you enable
Normalize TCP
and select
the corresponding option:
•
enabling the
Normalize Urgent Pointer
option sets the two-byte Urgent Pointer header field to the
payload length if the pointer is greater than the payload length
•
enabling the
Normalize TCP Payload
option normalizes the TCP Data field to ensure consistency in
retransmitted data and drops any segments that cannot be properly reassembled
Table 26-1
These preprocessor rules drop packets when Normalize TCP is enabled...
129:1, 129:3, 129:4, 129:6, 129:8. 129:11, 129: 14 through 129:19