Cisco Cisco Firepower Management Center 4000
25-20
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding FTP and Telnet Traffic
Tip
For more information on configuring the other options on this page, see
Step 5
Optionally, you can modify any of the following under
Global Settings
:
•
Select
Stateful Inspection
to examine reassembled TCP streams containing FTP packets. Clear
Stateful
Inspection
to inspect only unreassembled packets.
Caution
If you disable
TCP Stream Configuration
in an intrusion policy (not recommended), FTP and telnet
processing becomes implicitly stateless even if you select
Stateful Inspection
here, because the TCP layer
does not pass on any state information. You can determine whether TCP Stream Configuration is enabled
by expanding Advanced Settings on the left side of the page; TCP Stream Configuration is enabled if it
appears as a sublink beneath Advanced Settings. For more information on stateful inspection and stream
reassembly settings, see
by expanding Advanced Settings on the left side of the page; TCP Stream Configuration is enabled if it
appears as a sublink beneath Advanced Settings. For more information on stateful inspection and stream
reassembly settings, see
•
Select
Detect Encrypted Traffic
to detect encrypted traffic. Clear
Detect Encrypted Traffic
to ignore
encrypted traffic.
•
If needed, select
Continue to Inspect Encrypted Data
to continue checking a stream after it becomes
encrypted, in case it becomes decrypted again and can be processed.
Step 6
Optionally, click
Configure Rules for FTP and Telnet Configuration
at the top of the page to display rules
associated with individual options.
Click
Back
to return to the FTP and Telnet Configuration page.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Understanding Telnet Options
License:
Protection
You can enable or disable normalization of telnet commands by the FTP/Telnet decoder, enable or
disable a specific anomaly case, and set the threshold number of Are You There (AYT) attacks to permit.
disable a specific anomaly case, and set the threshold number of Are You There (AYT) attacks to permit.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Ports
Indicates the ports whose telnet traffic you want to normalize. In the interface, list multiple ports
separated by commas.
separated by commas.
Note
Any port you add to the telnet
Ports
list should also be added in each TCP policy to the
appropriate list of TCP reassembly ports, depending on whether you are monitoring client
or server traffic, or both. Note, however, that reassembling additional traffic types (client,
server, both) increases resource demands. For more information on configuring TCP
reassembly ports, see
or server traffic, or both. Note, however, that reassembling additional traffic types (client,
server, both) increases resource demands. For more information on configuring TCP
reassembly ports, see
.