Cisco Cisco Firepower Management Center 4000
25-46
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding the Session Initiation Protocol
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Sun RPC Configuration
under Application Layer
Preprocessors is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Sun RPC Configuration page appears. A message at the bottom of the page identifies the intrusion
policy layer that contains the configuration. See
policy layer that contains the configuration. See
for more
information.
Step 5
In the
Ports
field, type the port numbers where you want to decode RPC traffic. Separate multiple ports
with commas.
Step 6
You can select or clear any of the following detection options on the Sun RPC Configuration page:
•
Detect fragmented RPC records
•
Detect multiple records in one packet
•
Detect fragmented record sums which exceed one packet
•
Detect single fragment records which exceed the size of one packet
Step 7
Optionally, click
Configure Rules for Sun RPC Configuration
at the top of the page to display rules associated
with individual options.
Click
Back
to return to the Sun RPC Configuration page.
Step 8
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Decoding the Session Initiation Protocol
License:
Protection
The Session Initiation Protocol (SIP) provides call setup, modification, and teardown of one or more
sessions for one or more users of such client applications as Internet telephony, multimedia
conferencing, instant messaging, online gaming, and file transfer. A method field in each SIP request
identifies the purpose of the request, and a Request-URI specifies where to send the request. A status
code in each SIP response indicates the outcome of the requested action.
sessions for one or more users of such client applications as Internet telephony, multimedia
conferencing, instant messaging, online gaming, and file transfer. A method field in each SIP request
identifies the purpose of the request, and a Request-URI specifies where to send the request. A status
code in each SIP response indicates the outcome of the requested action.
After calls are set up using SIP, the Real-time Transport Protocol (RTP) is responsible for subsequent
audio and video communication; this part of the session is sometimes referred to as the call channel, the
data channel, or the audio/video data channel. RTP uses the Session Description Protocol (SDP) within
the SIP message body for data-channel parameter negotiation, session announcement, and session
invitation.
audio and video communication; this part of the session is sometimes referred to as the call channel, the
data channel, or the audio/video data channel. RTP uses the Session Description Protocol (SDP) within
the SIP message body for data-channel parameter negotiation, session announcement, and session
invitation.
The SIP preprocessor is responsible for:
•
decoding and analyzing SIP 2.0 traffic
•
extracting the SIP header and message body, including SDP data when present, and passing the
extracted data to the rules engine for further inspection
extracted data to the rules engine for further inspection
•
generating events when the following conditions are detected and the corresponding preprocessor
rules are enabled: anomalies and known vulnerabilities in SIP packets; out-of-order and invalid call
sequences
rules are enabled: anomalies and known vulnerabilities in SIP packets; out-of-order and invalid call
sequences