Cisco Cisco Firepower Management Center 2000
25-59
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding SMTP Traffic
The POP preprocessor rules in the following table are not associated with specific configuration options.
As with other POP preprocessor rules, you must enable these rules if you want them to generate events.
See
As with other POP preprocessor rules, you must enable these rules if you want them to generate events.
See
for information on enabling rules.
Decoding SMTP Traffic
License:
Protection
The SMTP preprocessor instructs the rules engine to normalize SMTP commands. The preprocessor can
also extract and decode email attachments in client-to-server traffic and, depending on the software
version, extract email file names, addresses, and header data to provide context when displaying
intrusion events triggered by SMTP traffic.
also extract and decode email attachments in client-to-server traffic and, depending on the software
version, extract email file names, addresses, and header data to provide context when displaying
intrusion events triggered by SMTP traffic.
Note the following when using the SMTP preprocessor:
•
The SMTP preprocessor requires TCP stream preprocessing. If TCP stream preprocessing is
disabled and you enable the SMTP preprocessor, you are prompted when you save the policy
whether to enable TCP stream preprocessing. See
disabled and you enable the SMTP preprocessor, you are prompted when you save the policy
whether to enable TCP stream preprocessing. See
for more information.
•
You must enable SMTP preprocessor rules, which have a generator ID (GID) of 124, if you want
these rules to generate events. A link on the configuration page takes you to a filtered view of SMTP
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
these rules to generate events. A link on the configuration page takes you to a filtered view of SMTP
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
for more information.
For more information, see the following sections:
•
•
•
Understanding SMTP Decoding
License:
Protection
You can enable or disable normalization, and you can configure options to control the types of
anomalous traffic the SMTP decoder detects.
anomalous traffic the SMTP decoder detects.
Note that decoding, or extraction when the MIME email attachment does not require decoding, includes
multiple attachments when present, and large attachments that span multiple packets.
multiple attachments when present, and large attachments that span multiple packets.
Table 25-11
Additional POP Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
142:1
Generates an event when the preprocessor detects a client command that is not
defined in RFC 1939.
defined in RFC 1939.
142:2
Generates an event when the preprocessor detects a server response that is not
defined in RFC 1939.
defined in RFC 1939.
142:3
Generates an event when the preprocessor is using the maximum amount of
memory allowed by the system. At this point, the preprocessor stops decoding
until memory becomes available.
memory allowed by the system. At this point, the preprocessor stops decoding
until memory becomes available.