Log preprocessor events—Checking this box causes forensic analysis to display all activity generated by the TCP stream assembly preprocessor to the log.
Maximum active TCP streams tracked—If this value is set too high given the size of the buffer being analyzed, performance can suffer because of memory consumption. If this value is set too low, forensic analysis can be susceptible to denial of service attacks upon the IDS itself (i.e., the attack on the target is carried out after the IDS has used up its simultaneous sessions allocation).
Drop TCP streams inactive for this duration—A TCP session is dropped from analysis as soon as it has been closed by an RST message or FIN handshake, or after the time-out threshold for inactivity has been reached. Exercise caution when adjusting the time-out, because hackers can use TCP tear-down policies (and the differences between how analyzers handle inactivity vs. various operating systems) to evade detection.
TTL delta alert limit—Some attackers depend on knowledge of the target system’s location relative to the IDS to send different streams of packets to each by manipulating TTL (Time To Live) values. Any large swing in Time To Live (TTL) values within a stream segment can be evidence of this kind of evasion attempt. Set the value too high, and analysis will miss these attempts. Setting the value too low can result in excessive false positives.
Overlapping packet alert threshold—The reassembly preprocessor will generate an alert when more than this number of packets within a stream have overlapping sequence numbers.
Process only established streams—Check this box if you want analysis to recognize streams established during the given packet capture.
Reconstruct Client to Server streams—Check this box to have analysis actually reconstruct streams received by servers.
Reconstruct Server to Client streams—Check this box to have analysis actually reconstruct streams received by clients.
Overlap method—Different operating systems handle overlapping packets using one of these methods. Choose one to match the method of the systems being monitored.
