Stream TCP reassembly configuration
The binder
inspector defines the TCP stream reassembly configuration
for the network analysis policy (NAP). You specify the host IP addresses to which you want to
apply the TCP stream reassembly policy. The stream TCP inspector is automatically associated with
the ports configured in the binder
for the NAP. For more information, see the Binder Inspector Overview.
Note
|
The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to
constrain this configuration can have unexpected results.
Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.
|
The default
setting in
the default policy specifies all IP addresses on your monitored network segment that
are not covered by another target-based policy. Therefore, you cannot and do not
need to specify an IP address or CIDR block/prefix length for the default policy,
and you cannot leave this setting blank in another policy or use address notation to
represent any
(for example,
0.0.0.0/0
or ::/0
).
policy
Specifies the operating system of the target host or hosts. The
operating system determines the appropriate TCP reassembly policy and operating system
characteristics. You can define only one policy
parameter for each stream TCP inspector.
Note
|
If you set the policy parameter to first ,
Snort may provide some protection, but miss attacks. You should edit the policy parameter of the
TCP stream inspector to specify the appropriate operating system.
|
Type: enum
Valid values: Set a type of operating system for the policy
parameter.
Table 1. TCP Operating System Policies
Policy
|
Operating Systems
|
first
|
unknown OS
|
last
|
Cisco IOS
|
bsd
|
AIX
FreeBSD
OpenBSD
|
hpux_10
|
HP-UX 10.2 and earlier
|
hpux_11
|
HP-UX 11.0 and later
|
irix
|
SGI Irix
|
linux
|
Linux 2.4 kernel
Linux 2.6 kernel
|
macos
|
Mac OS 10 (Mac OS X)
|
old_linux
|
Linux 2.2 and earlier kernel
|
solaris
|
Solaris OS
SunOS
|
vista
|
Windows Vista
|
windows
|
Windows 98
Windows NT
Windows 2000
Windows XP
|
win_2003
|
Windows 2003
|
Default value: bsd
max_window
Specifies the maximum TCP window size permitted by a receiving host.
You can specify an integer less than 65535
, or specify 0
to disable inspection
of the TCP window size.
Caution
|
The upper limit of max_window is the maximum window size permitted by RFC 1323.
You can set the upper limit to prevent an attacker from evading detection, however, a significantly large
maximum TCP window size may create a self-imposed denial of service.
|
Type: integer
Valid range: 0
to 1,073,725,440
Default value: 0
overlap_limit
Specifies the maximum number of overlapping segments allowed in each TCP session.
Specify 0
to permit an unlimited number of overlapping segments.
If you set a number between 0
and 255
, segment reassembly stops for the session.
Enable rule 129:7 to generate events and, in an inline deployment, drop offending packets.
Type: integer
Valid range:
0
to 4,294,967,295 (max32)
Default value: 0
max_pdu
Specifies the maximum reassembled protocol data unit (PDU) size.
Type: integer
Valid range:
1460
to 32768
Default value: 16384
reassemble_async
Ensures that data is queued for reassembly before traffic is seen in both directions.
When the monitored network is an asynchronous network, you must enable the reassemble_async
parameter. An asynchronous network only permits traffic in a single direction and one flow at a time.
If the reassemble_async
parameter is enabled, Snort does not reassemble TCP streams to increase performance.
Note
|
The stream TCP inspector cannot correctly process asymmetric traffic in all cases.
For example, a response to an HTTP HEAD request can cause the HTTP inspector to get out of sync.
In IDS mode, the lack of TCP acknowledgements makes evasions much easier.
For IPS mode, we recommend that you deploy a device only if the rules engine can inspect both sides of a flow.
|
The reassemble_async
parameter is ignored for the Secure
Firewall Threat Defense routed and transparent interfaces.
Type: boolean
Valid values:
true
, false
Default value:
true
require_3whs
Specifies the number of seconds from start up after which the stream TCP inspector stops tracking midstream sessions.
Specify -1
to track all midstream TCP sessions, no matter when they occur.
Snort does not synchronize most protocol streams. Snort always picks up on SYN if it needs any of the handshake options (timestamps,
window scale, or MSS).
Typically, IPS efficacy is not improved by allowing midstream pickups.
Type: integer
Valid range:
-1
to 2,147,483,647 (max31)
Default value: -1
queue_limit.max_bytes
Specifies the maximum number of bytes to queue for a session on one side of a TCP connection.
Specify 0
to allow an unlimited number of bytes.
Caution
|
We recommend that you contact Cisco TAC before changing the default
setting of the queue_limit.max_bytes parameter.
|
Type: integer
Valid range:
0
to 4,294,967,295 (max32)
Default value: 4,194,304
queue_limit.max_segments
Specifies the maximum number of data segments to queue for a session on one side of a TCP connection.
Specify 0
to allow an unlimited number of data segments.
Caution
|
We recommend that you contact Cisco TAC before changing the default
setting of the queue_limit.max_segments parameter.
|
Type: integer
Valid range:
0
to 4,294,967,295 (max32)
Default value: 3072
small_segments.count
Specifies a number that is above the expected amount of consecutive small TCP segments.
Specify 0
to ignore the count of consecutive small TCP segments.
You must set the small_segments.count
and small_segments.maximum_size
parameters with the same type of value. Specify 0
for both
parameters or set each parameter to a non-zero value.
Note
|
Snort considers 2000 consecutive segments, even if each segment is
1 byte in length, above the normal amount of consecutive TCP segments.
|
Snort ignores the small_segments.count
parameter for threat
defense routed and transparent interfaces.
You can enable rule 129:12 to generate events and, in an inline deployment, drop offending packets.
Type: integer
Valid range:
0
to 2048
Default value: 0
small_segments.maximum_size
Specifies the number of bytes which identify a TCP segment
as larger than a small TCP segment. A small TCP segment size is in the range of
1
to 2048
bytes.
Specify 0
to ignore the maximum size of a small segment.
Snort ignores the small_segments.maximum_size
parameter for threat
defense routed and transparent interfaces.
You must set the small_segments.maximum_size
and small_segments.count
parameters with the same type of value. Specify 0
for both
parameters or set each parameter to a non-zero value.
Note
|
A 2048 byte TCP segment is larger than a normal 1500 byte
Ethernet frame.
|
You can enable rule 129:12 to generate events and, in an inline deployment, drop offending packets.
Type: integer
Valid range:
0
to 2048
Default value: 0
session_timeout
Specifies the number of seconds that Snort keeps an inactive TCP stream
in its state table. If the stream is not reassembled in the specified time,
Snort deletes it from the state table. If the session is still alive and more packets appear,
Snort handles the stream as a midstream flow.
We recommend that you set the session_timeout
parameter
to greater than or equal to the host TCP session timeout.
Type: integer
Valid range:
0
to 2,147,483,647 (max31)
Default value: 180