Cisco Cisco Firepower Management Center 2000

Normalizes telnet traffic to the specified ports.

Detect Anomalies

Enables detection of Telnet SB (subnegotiation begin) without the corresponding SE 
(subnegotiation end).

Telnet supports subnegotiation, which begins with SB (subnegotiation begin) and must end with an 
SE (subnegotiation end). However, certain implementations of Telnet servers will ignore the SB 
without a corresponding SE. This is anomalous behavior that could be an evasion case. Because FTP 
uses the Telnet protocol on the control connection, it is also susceptible to this behavior.

You can enable rule 126:3 to generate an event when this anomaly is detected in Telnet traffic, and 
rule 125:9 when it is detected on the FTP command channel. See 

for more information.

Detects when the number of consecutive AYT commands exceeds the specified threshold. Cisco 
recommends that you set the AYT threshold to a value no higher than 20.

You can enable rule 126:1 to generate events for this option. See 

 for 

more information.

Protection

You can enable or disable normalization, enable or disable a specific anomaly case, and control the 
threshold number of Are You There (AYT) attacks to permit. For additional information on telnet 
options, see 

.

Admin/Intrusion Admin

Select 

The Intrusion Policy page appears.

Click the edit icon (

) next to the policy you want to edit.

If you have unsaved changes in another policy, click 

 to discard those changes and continue. See 

 for information on saving unsaved changes in another 

policy.

The Policy Information page appears.

Click 

 in the navigation panel on the left.

The Advanced Settings page appears.

You have two choices, depending on whether 

 under Application Layer 

Preprocessors is enabled:

If the configuration is enabled, click 

.

If the configuration is disabled, click 

, then click 

.

The FTP and Telnet Configuration page appears.