Configuring Tcp Normalization - Cisco PIX 500 Series Configuration Manual

Chapter 23 Preventing Network Attacks
Table 23-3
Field
Total events
20-min, 1-hour,
8-hour, and 24-hour

Configuring TCP Normalization

The TCP normalization feature lets you specify criteria that identify abnormal packets, which the
security appliance drops when they are detected. This feature uses Modular Policy Framework, so that
implementing TCP normalization consists of identifying traffic, specifying the TCP normalization
criteria, and activating TCP normalization on an interface. See
Framework,"
To configure TCP normalization, perform the following steps:
To specify the TCP normalization criteria that you want to look for, create a TCP map by entering the
Step 1
following command:
hostname(config)# tcp-map tcp-map-name
For each TCP map, you can specify one or more settings.
Step 2 Configure the TCP map criteria by entering commands for one or more of the following options:
•
•
•
OL-12172-03
show threat-detection statistics host Fields (continued)
Description
Shows the total number of events over each rate interval. The unfinished burst
interval presently occurring is not included in the total events. The only
exception to this rule is if the number of events in the unfinished burst interval
already exceeds the number of events in the oldest burst interval (#1 of 60)
when calculating the total events. In that case, the security appliance
calculates the total events as the last 59 complete intervals, plus the events so
far in the unfinished burst interval. This exception lets you monitor a large
increase in events in real time.
Shows statistics for these fixed rate intervals.
Sent byte Shows the number of successful bytes sent from the host.
Sent pkts Shows the number of successful packets sent from the host.
Sent drop Shows the number of packets sent from the host that were dropped because
they were part of a scanning attack.
Recv byte Shows the number of successful bytes received by the host.
Recv pkts Shows the number of successful packets received by the host.
Recv drop Shows the number of packets received by the host that were dropped because
they were part of a scanning attack.
for more information.
Prevent inconsistent TCP retransmissions:
hostname(config-tcp-map)# check-retransmission
Verify the checksum:
hostname(config-tcp-map)# checksum-verification
Allow packets whose data length exceeds the TCP maximum segment size. The default is to drop
these packets, so use this command to allow them.
hostname(config-tcp-map)# exceed-mss {allow | drop}
Chapter 21, "Using Modular Policy
Cisco Security Appliance Command Line Configuration Guide
Configuring TCP Normalization
23-11