Cisco Cisco Firepower Management Center 4000
25-64
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding SMTP Traffic
Configuring SMTP Decoding
License:
Protection
You can use the SMTP Configuration page of an intrusion policy to configure SMTP normalization. For
more information on SMTP preprocessor configuration options, see
more information on SMTP preprocessor configuration options, see
To configure SMTP decoding options:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
SMTP Configuration
under Application Layer Preprocessors
is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The SMTP Configuration page appears. The following graphic shows the Defense Center packet view.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration.
See
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration.
See
for more information.
Step 5
Specify the
Ports
where SMTP traffic should be decoded, separated by commas.
Step 6
Select
Stateful Inspection
to examine reassembled TCP streams containing SMTP packets. Clear
Stateful
Inspection
to inspect only unreassembled SMTP packets.
Step 7
Configure the normalization options:
•
To normalize all commands, select
All
.
•
To normalize only commands specified by
Custom Commands
, select
Cmds
and specify the commands
to normalize. Separate commands with spaces.
•
To normalize no commands, select
None
.
•
To ignore mail data except for MIME mail header data, check
Ignore Data
.
•
To ignore data encrypted under the Transport Security Layer protocol, check
Ignore TLS Data
.
•
To disable generating events when accompanying preprocessor rules are enabled, check
No Alerts
.
•
To detect unknown commands in SMTP data, select
Detect Unknown Commands
.
Step 8
Specify a maximum command line length in the
Max Command Line Len
field.
Step 9
Specify a maximum data header line length in the
Max Header Line Len
field.
Step 10
Specify a maximum response line length in the
Max Response Line Len
field.