If no preprocessor rule is mentioned in the following
descriptions, the option is not associated with a preprocessor rule.
You can configure the following global TCP option:
Packet Type
Performance Boost
Enables ignoring TCP traffic for all ports and application
protocols that are not specified in enabled intrusion rules, except when a TCP
rule with both the source and destination ports set to
any
has a
flow
or
flowbits
option. This performance improvement could
result in missed attacks.
You can configure the following options for each TCP policy.
Network
Specifies the host IP addresses to which you want to apply the
TCP stream reassembly policy.
You can specify a single IP address or address block. You can
specify up to 255 total profiles including the default policy.
Note
|
The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to
constrain this configuration can have unexpected results.
Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.
|
Note that the
default
setting in the default policy specifies all IP
addresses on your monitored network segment that are not covered by another
target-based policy. Therefore, you cannot and do not need to specify an IP
address or CIDR block/prefix length for the default policy, and you cannot
leave this setting blank in another policy or use address notation to represent
any
(for example, 0.0.0.0/0 or ::/0).
Policy
Identifies the TCP policy operating system of the target host or
hosts. If you select a policy other than
Mac OS, the system removes the data from the
synchronization (SYN) packets and disables event generation for rule 129:2.
Note that enabling the inline normalization preprocessor
Remove Data on SYN option also disables rule 129:2.
The following table identifies the operating system policies and
the host operating systems that use each.
Table 2. TCP Operating System Policies
Policy
|
Operating Systems
|
First
|
unknown OS
|
Last
|
Cisco IOS
|
BSD
|
AIX
FreeBSD
OpenBSD
|
Linux
|
Linux 2.4 kernel
Linux 2.6 kernel
|
Old Linux
|
Linux 2.2 and earlier kernel
|
Windows
|
Windows 98
Windows NT
Windows 2000
Windows XP
|
Windows 2003
|
Windows 2003
|
Windows Vista
|
Windows Vista
|
Solaris
|
Solaris OS
SunOS
|
IRIX
|
SGI Irix
|
HPUX
|
HP-UX 11.0 and later
|
HPUX 10
|
HP-UX 10.2 and earlier
|
Mac OS
|
Mac OS 10 (Mac OS X)
|
Tip
|
The First operating system policy could offer some protection
when you do not know the host operating system. However, it may result in
missed attacks. You should edit the policy to specify the correct operating
system if you know it.
|
Timeout
The number of seconds between 1 and 86400 the intrusion rules engine keeps an inactive stream in the state table. If the stream
is not reassembled in the specified time, the intrusion rules engine deletes it from the state table.
Note
|
If your managed device is deployed on a segment where the network traffic is likely to reach the device’s bandwidth limits,
you should consider setting this value higher (for example, to 600 seconds) to lower the amount of processing overhead.
|
Firepower Threat Defense devices use this option only for connections that are inspected by Snort. For other connections, you need to configure a
global TCP timeout in your platform settings policy.
Maximum TCP
Window
Specifies the maximum TCP window size between 1 and 1073725440
bytes allowed as specified by a receiving host. Setting the value to 0 disables
checking for the TCP window size.
Caution
|
The upper limit is the maximum window size permitted by RFC, and
is intended to prevent an attacker from evading detection, but setting a
significantly large maximum window size could result in a self-imposed denial
of service.
|
When Stateful Inspection Anomalies is enabled, you can enable rule 129:6 to generate events and, in an inline deployment, drop offending packets for this option.
Overlap
Limit
Specifies that when the configured number between 0 (unlimited)
and 255 of overlapping segments in a session has been detected, segment
reassembly stops for that session and, if
Stateful Inspection Anomalies is enabled and the
accompanying preprocessor rule is enabled, an event is generated.
You can enable rule 129:7 to generate events and, in an inline deployment, drop offending packets for this option.
Flush
Factor
In an inline deployment, specifies that when a segment of
decreased size has been detected subsequent to the configured number between 1
and 2048 of segments of non-decreasing size, the system flushes segment data
accumulated for detection. Setting the value to 0 disables detection of this
segment pattern, which can indicate the end of a request or response. Note that
the Inline Normalization
Normalize TCP Payload
option must be enabled for this option the be effective.
Stateful
Inspection Anomalies
Detects anomalous behavior in the TCP stack. When accompanying
preprocessor rules are enabled, this may generate many events if TCP/IP stacks
are poorly written.
You can enable the following rules to generate events and, in an inline deployment, drop offending packets for this option:
-
129:1 through 129:5
-
129:6 (Mac OS only)
-
129:8 through 129:11
-
129:13 through 129:19
Note the following:
TCP Session
Hijacking
Detects TCP session hijacking by validating the hardware (MAC)
addresses detected from both sides of a TCP connection during the 3-way
handshake against subsequent packets received on the session. When the MAC
address for one side or the other does not match, if
Stateful Inspection Anomalies is enabled and one of
the two corresponding preprocessor rules are enabled, the system generates
events.
You can enable rules 129:9 and 129:10 to generate events and, in an inline deployment, drop offending packets for this option. Note that for either of these rules to generate events you must also enable Stateful Inspection Anomalies.
Consecutive
Small Segments
When
Stateful Inspection Anomalies is enabled, specifies
a maximum number of 1 to 2048 consecutive small TCP segments allowed. Setting
the value to 0 disables checking for consecutive small segments.
You must set this option together with the
Small Segment Size option, either disabling both or
setting a non-zero value for both. Note that receiving as many as 2000
consecutive segments, even if each segment was 1 byte in length, without an
intervening ACK would be far more consecutive segments than you would normally
expect.
You can enable rule 129:12 to generate events and, in an inline deployment, drop offending packets for this option.
Small Segment
Size
When
Stateful Inspection Anomalies is enabled, specifies
the 1 to 2048 byte TCP segment size that is considered small. Setting the value
to 0 disables specifying the size of a small segment.
You must set this option together with the
Consecutive Small Segments option, either disabling
both or setting a non-zero value for both. Note that a 2048 byte TCP segment is
larger than a normal 1500 byte Ethernet frame.
Ports Ignoring
Small Segments
When
Stateful Inspection Anomalies,
Consecutive Small Segments, and
Small Segment Size are enabled, specifies a
comma-separated list of one or more ports that ignore small TCP segment
detection. Leaving this option blank specifies that no ports are ignored.
You can add any port to the list, but the list only affects
ports specified in one of the
Perform Stream Reassembly on port lists in the TCP
policy.
Require TCP
3-Way Handshake
Specifies that sessions are treated as established only upon
completion of a TCP three-way handshake. Disable this option to increase
performance, protect from SYN flood attacks, and permit operation in a
partially asynchronous environment. Enable it to avoid attacks that attempt to
generate false positives by sending information that is not part of an
established TCP session.
You can enable rule 129:20 to generate events and, in an inline deployment, drop offending packets for this option.
3-Way
Handshake Timeout
Specifies the number of seconds between 0 (unlimited) and 86400
(twenty-four hours) by which a handshake must be completed when
Require TCP 3-Way Handshake is enabled. You must
enable
Require TCP 3-Way Handshake to modify the value for
this option.
Packet Size
Performance Boost
Sets the preprocessor to not queue large packets in the
reassembly buffer. This performance improvement could result in missed attacks.
Disable this option to protect against evasion attempts using small packets of
one to twenty bytes. Enable it when you are assured of no such attacks because
all traffic is comprised of very large packets.
Legacy
Reassembly
Sets the stream preprocessor to emulate the deprecated Stream 4
preprocessor when reassembling packets, which lets you compare events
reassembled by the stream preprocessor to events based on the same data stream
reassembled by the Stream 4 preprocessor.
Asynchronous
Network
Specifies whether the monitored network is an asynchronous
network, that is, a network where the system sees only half the traffic. When
this option is enabled, the system does not reassemble TCP streams to increase
performance.
Perform Stream
Reassembly on Client Ports
Enables stream reassembly based on ports for the client side of
the connection. In other words, it reassembles streams destined for web
servers, mail servers, or other IP addresses typically defined by the IP
addresses specified in $HOME_NET. Use this option when you expect malicious
traffic to originate from clients.
Perform Stream
Reassembly on Client Services
Enables stream reassembly based on services for the client side
of the connection. Use this option when you expect malicious traffic to
originate from clients.
At least one client detector must be enabled for each client
service you select. By default, all Cisco-provided detectors are activated. If
no detector is enabled for an associated client application, the system
automatically enables all Cisco-provided detectors for the application; if none
exist, the system enables the most recently modified user-defined detector for
the application.
This feature requires Protection and Control licenses.
Perform Stream
Reassembly on Server Ports
Enables stream reassembly based on ports for the server side of
the connection only. In other words, it reassembles streams originating from
web servers, mail servers, or other IP addresses typically defined by the IP
addresses specified in $EXTERNAL_NET. Use this option when you want to watch
for server side attacks. You can disable this option by not specifying ports.
Note
|
For a thorough inspection of a service, add the service name in the Perform Stream Reassembly on Server Services field in addition to adding the port number in the Perform Stream Reassembly on Server Ports field. For example, add 'HTTP' service in the Perform Stream Reassembly on Server Services field to inspect HTTP service in addition to adding port number 80 in the Perform Stream Reassembly on Server Ports field.
|
Perform Stream
Reassembly on Server Services
Enables stream reassembly based on services for the server side
of the connection only. Use this option when you want to watch for server side
attacks. You can disable this option by not specifying services.
At least one detector must be enabled. By default, all
Cisco-provided detectors are activated. If no detector is enabled for a
service, the system automatically enables all Cisco-provided detectors for the
associated application protocol; if none exist, the system enables the most
recently modified user-defined detector for the application protocol.
This feature requires Protection and Control licenses.
Perform Stream
Reassembly on Both Ports
Enables stream reassembly based on ports for both the client and
server side of the connection. Use this option when you expect that malicious
traffic for the same ports may travel in either direction between clients and
servers. You can disable this option by not specifying ports.
Perform Stream
Reassembly on Both Services
Enables stream reassembly based on services for both the client
and server side of the connection. Use this option when you expect that
malicious traffic for the same services may travel in either direction between
clients and servers.You can disable this option by not specifying services.
At least one detector must be enabled. By default, all
Cisco-provided detectors are activated. If no detector is enabled for an
associated client application or application protocol, the system automatically
enables all Cisco-provided detectors for the application or application
protocol; if none exist, the system enables the most recently modified
user-defined detector for the application or application protocol.
This feature requires Protection and Control licenses.
Troubleshooting Options: Maximum Queued Bytes
Support might ask you during a troubleshooting call to specify
the amount of data that can be queued on one side of a TCP connection. A value
of 0 specifies an unlimited number of bytes.
Caution
|
Changing the setting for this troubleshooting option will affect
performance and should be done only with Support guidance.
|
Troubleshooting Options: Maximum Queued Segments
Support might ask you during a troubleshooting call to specify
the maximum number of bytes of data segments that can be queued on one side of
a TCP connection. A value of 0 specifies an unlimited number of data segment
bytes.
Caution
|
Changing the setting for this troubleshooting option will affect
performance and should be done only with Support guidance.
|