Cisco Cisco Firepower Management Center 4000
25-28
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding FTP and Telnet Traffic
You can create profiles for FTP clients. Within each profile, you can specify the maximum response
length for an FTP response from a client. You can also configure whether the decoder detects bounce
attacks and use of telnet commands on the FTP command channel for a particular client.
length for an FTP response from a client. You can also configure whether the decoder detects bounce
attacks and use of telnet commands on the FTP command channel for a particular client.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Networks
Use this option to specify one or more IP addresses of FTP clients.
You can specify a single IP address or address block, or a comma-separated list comprised of either
or both. You can specify up to 1024 characters, and you can specify up to 255 profiles including the
default profile. For information on using IPv4 and IPv6 address blocks in the FireSIGHT System,
see
or both. You can specify up to 1024 characters, and you can specify up to 255 profiles including the
default profile. For information on using IPv4 and IPv6 address blocks in the FireSIGHT System,
see
.
Note that the
default
setting in the default policy specifies all IP addresses on your monitored
network segment that are not covered by another target-based policy. Therefore, you cannot and do
not need to specify an IP address or address block for the default policy, and you cannot leave this
setting blank in another policy or use address notation to represent
not need to specify an IP address or address block for the default policy, and you cannot leave this
setting blank in another policy or use address notation to represent
any
(for example, 0.0.0.0/0 or
::/0).
Max Response Length
Use this option to specify the maximum length of a response string from the FTP client.
You can enable rule 125:6 to generate events for this option. See
for
more information.
Detect FTP Bounce Attempts
Use this option to detect FTP bounce attacks.
You can enable rule 125:8 to generate events for this option. See
for
more information.
Allow FTP Bounce to
Use this option to configure a list of additional hosts and ports on those hosts on which FTP PORT
commands should not be treated as FTP bounce attacks.
commands should not be treated as FTP bounce attacks.
Detect Telnet Escape Codes within FTP Commands
Use this option to detect when telnet commands are used over the FTP command channel.
You can enable rule 125:1 to generate events for this option. See
for
more information.
Ignore Erase Commands During Normalization
When
Detect Telnet Escape Codes within FTP Commands
is selected, use this option to ignore telnet
character and line erase commands when normalizing FTP traffic.The setting should match how the
FTP client handles telnet erase commands. Note that newer FTP clients typically ignore telnet erase
commands, while older clients typically process them.
FTP client handles telnet erase commands. Note that newer FTP clients typically ignore telnet erase
commands, while older clients typically process them.
Configuring Client-Level FTP Options
License:
Protection