Cisco Cisco Firepower Management Center 4000

Page of 1844
 
25-23
FireSIGHT System User Guide
 
Chapter 25      Using Application Layer Preprocessors
  Decoding FTP and Telnet Traffic
You can specify a single IP address or address block, or a comma-separated list comprised of either 
or both. You can configure up to 1024 characters, and you can specify up to 255 profiles including 
the default profile. For information on using IPv4 and IPv6 address blocks in the FireSIGHT 
System, see 
Note that the 
default
 setting in the default policy specifies all IP addresses on your monitored 
network segment that are not covered by another target-based policy. Therefore, you cannot and do 
not need to specify an IP address or address block for the default policy, and you cannot leave this 
setting blank in another policy or use address notation to represent 
any
 (for example, 0.0.0.0/0 or 
::/0).
Ports
Use this option to specify the ports on the FTP server where the managed device should monitor 
traffic. In the interface, list multiple ports separated by commas.
Note
Any port you add to the server-level FTP 
Ports
 list should also be added in each TCP policy 
to the appropriate list of TCP reassembly ports, depending on whether you are monitoring 
client or server traffic, or both. Note, however, that reassembling additional traffic types 
(client, server, both) increases resource demands. For more information on configuring TCP 
reassembly ports, see 
.
File Get Commands
Use this option to define the FTP commands used to transfer files from server to client. Do not 
change these values unless directed to do so by Support.
File Put Commands
Use this option to define the FTP commands used to transfer files from client to server. Do not 
change these values unless directed to do so by Support.
Additional FTP Commands
Use this line to specify the additional commands that the decoder should detect. Separate additional 
commands by spaces.
Default Max Parameter Length
Use this option to detect the maximum parameter length for commands where an alternate maximum 
parameter length has not been set.
You can enable rule 125:3 to generate events for this option. See 
 for 
more information.
Alternate Max Parameter Length
Use this option to specify commands where you want to detect a different maximum parameter 
length, and to specify the maximum parameter length for those commands. Click 
Add
 to add lines 
where you can specify a different maximum parameter length to detect for particular commands.
Check Commands for String Format Attacks
Use this option to check the specified commands for string format attacks.
You can enable rule 125:5 to generate events for this option. See 
 for 
more information.