Cisco Cisco Firepower Management Center 2000
25-17
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Detecting Exploits in DNS Name Server Responses
You can enable rule 131:2 to generate events for this option. See
for
more information.
Configuring the DNS Preprocessor
License:
Protection
Use the following procedure to configure the DNS preprocessor. For more information on configuring
the options on this page, see
the options on this page, see
,
.
To configure the DNS preprocessor:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
DNS Configuration
under Application Layer Preprocessors
is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The DNS Configuration page appears. A message at the bottom of the page identifies the intrusion policy
layer that contains the configuration. See
layer that contains the configuration. See
for more
information.
Step 5
Optionally, you can modify any of the following in the
Settings
area:
•
Specify the source port or ports the DNS preprocessor should monitor for DNS server responses in
the
the
Ports
field. Separate multiple ports with commas.
•
Select the
Detect Overflow Attempts on RData
Text
fields
check box to enable detection of buffer overflow
attempts in RData text fields.
Table 25-4
Experimental DNS Resource Record Types
RR Type
Code
Description
7
MB
a mailbox domain name
8
MG
a mail group member
9
MR
a mail rename domain name
10
NUL
a null resource record