Cisco Cisco Firepower Management Center 4000
25-30
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
Note that you cannot modify the setting for
Network
in the default profile. The default profile applies
to all client hosts on your network that are not identified in another profile.
•
Specify, in bytes, the maximum length of responses from the FTP client in the
Max Response Length
field.
•
To detect FTP bounce attacks, select
Detect FTP Bounce attempts
.
The FTP/Telnet decoder detects when an FTP PORT command is issued and the specified host does
not match the specified host of the client.
not match the specified host of the client.
•
To configure a list of additional hosts and ports where FTP PORT commands should not be treated
as FTP bounce attacks, specify each host (or network in CIDR format) followed by a colon (:) and
the port or port range in the
as FTP bounce attacks, specify each host (or network in CIDR format) followed by a colon (:) and
the port or port range in the
Allow FTP Bounce to
field. To enter a range of ports for a host, separate
the beginning port in the range and the final port in the range with a dash (-). You can enter multiple
hosts by separating the entries for the hosts with a comma.
hosts by separating the entries for the hosts with a comma.
For example, to permit FTP PORT commands directed to the host 192.168.1.1 at port 21 and
commands directed to the host 192.168.1.2 at any of the ports from 22 to 1024, type:
commands directed to the host 192.168.1.2 at any of the ports from 22 to 1024, type:
192.168.1.1:21, 192.168.1.2:22-1024
For information on using CIDR notation and prefix lengths in the FireSIGHT System, see
.
Note
To specify multiple individual ports for a host, you must repeat the host IP address for each port
definition. For example, to specify the ports 22 and 25 on 192.168.1.1, type
definition. For example, to specify the ports 22 and 25 on 192.168.1.1, type
192.168.1.1:22,
192.168.1.1:25
.
•
To detect when telnet commands are used over the FTP command channel, select
Detect Telnet Escape
Codes within FTP Commands
.
•
To ignore telnet character and line erase commands when normalizing FTP traffic, select
Ignore Erase
Commands During Normalization
.
Step 7
Optionally, click
Configure Rules for FTP and Telnet Configuration
at the top of the page to display rules
associated with individual options.
Click
Back
to return to the FTP and Telnet Configuration page.
Step 8
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Decoding HTTP Traffic
License:
Protection
The HTTP Inspect preprocessor is responsible for:
•
decoding and normalizing HTTP requests sent to and HTTP responses received from web servers
on your network
on your network
•
separating messages sent to web servers into URI, non-cookie header, cookie header, method, and
message body components to improve performance of HTTP-related intrusion rules
message body components to improve performance of HTTP-related intrusion rules