Configuring TCP Stream Preprocessing

Note	This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

Before you begin

Confirm that networks you want to identify in a custom target-based policy match or are a subset of the networks, zones, and VLANs handled by its parent network analysis policy. See Advanced Settings for Network Analysis Policies for more information.

Step 1

Choose Policies > Access Control, then click Network Analysis Policy or Policies > Access Control > Intrusion, then click Network Analysis Policies.

Note	If your custom user role limits access to the first path listed here, use the second path to access the policy.

Step 2

Click Snort 2 Version next to the policy you want to edit.

Step 3

Click Edit ( edit icon ) next to the policy you want to modify.

If View ( View button ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Settings in the navigation panel on the left.

Step 5

If the TCP Stream Configuration setting is disabled under Transport/Network Layer Preprocessors, enable it by clicking Enabled.

Step 6

Click Edit ( edit icon ) next to TCP Stream Configuration.

Step 7

Check or clear the Packet Type Performance Boost check box in the Global Settings section.

Step 8

You can:

Add a target-based policy — Click Add () next to Hosts in the Targets section. Specify one or more IP addresses in the Host Address field. You can specify a single IP address or address block. You can create a total of 255 target-based policies including the default policy. When done, click OK.
Edit an exist target-based policy — Under Hosts, click on the address for the policy you want to edit, or click default to edit the default configuration values.

Modify the TCP Stream Preprocessing options — See TCP Stream Preprocessing Options.

Caution

Do not modify Maximum Queued Bytes or Maximum Queued Segments unless instructed to do so by Support.

Tip	To modify stream reassembly settings based on client, server, or both services, click inside the field you want to modify or click Edit next to the field. Use arrow to move services between the Available and Enabled lists in the pop-up window, then click OK.

Delete an existing target-based policy — Click Delete () next to the policy you want to remove.

Step 9

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, cached changes since the last commit are discarded if you edit a different policy.

If you want to generate events and, in an inline deployment, drop offending packets, enable TCP Stream preprocessor rules (GID 129). For more information, see Setting Intrusion Rule States and TCP Stream Preprocessing Options.
Deploy configuration changes.