Cisco Cisco Firepower Management Center 4000
25-62
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding SMTP Traffic
You can enable rule 124:4 to generate events for this option. See
for
more information.
Data Commands
Lists commands that initiate sending data in the same way the SMTP DATA command sends data
per RFC 5321. Separate multiple commands with spaces.
per RFC 5321. Separate multiple commands with spaces.
Binary Data Commands
Lists commands that initiate sending data in a way that is similar to how the BDAT command sends
data per RFC 3030. Separate multiple commands with spaces.
data per RFC 3030. Separate multiple commands with spaces.
Authentication Commands
Lists commands that initiate an authentication exchange between client and server. Separate
multiple commands with spaces.
multiple commands with spaces.
Detect xlink2state
Detects packets that are part of X-Link2State Microsoft Exchange buffer data overflow attacks. In
inline deployments, the system can also drop those packets.
inline deployments, the system can also drop those packets.
You can enable rule 124:8 to generate events for this option. See
for
more information.
Base64 Decoding Depth
When
Ignore Data
is disabled, specifies the maximum number of bytes to extract and decode from
each Base64 encoded MIME email attachment. You can specify from 1 to 65535 bytes, or specify 0
to decode all the Base64 data. Specify -1 to ignore Base64 data. The preprocessor will not decode
data when
to decode all the Base64 data. Specify -1 to ignore Base64 data. The preprocessor will not decode
data when
Ignore Data
is selected.
Note that positive values not divisible by 4 are rounded up to the next multiple of 4 except for the
values 65533, 65534, and 65535, which are rounded down to 65532.
values 65533, 65534, and 65535, which are rounded down to 65532.
When Base64 decoding is enabled, you can enable rule 124:10 to generate an event when decoding
fails; decoding could fail, for example, because of incorrect encoding or corrupted data. See
fails; decoding could fail, for example, because of incorrect encoding or corrupted data. See
for more information.
Note that this option replaces the deprecated options
Enable MIME Decoding
and
Maximum MIME
Decoding Depth
, which are still supported in existing intrusion policies for backward compatibility.
7-Bit/8-Bit/Binary Decoding Depth
When
Ignore Data
is disabled, specifies the maximum bytes of data to extract from each MIME email
attachment that does not require decoding. These attachment types include 7-bit, 8-bit, binary, and
various multipart content types such as plain text, jpeg images, mp3 files, and so on. You can specify
from 1 to 65535 bytes, or specify 0 to extract all data in the packet. Specify -1 to ignore non-decoded
data. The preprocessor will not extract data when
various multipart content types such as plain text, jpeg images, mp3 files, and so on. You can specify
from 1 to 65535 bytes, or specify 0 to extract all data in the packet. Specify -1 to ignore non-decoded
data. The preprocessor will not extract data when
Ignore Data
is selected.
Quoted-Printable Decoding Depth
When
Ignore Data
is disabled, specifies the maximum number of bytes to extract and decode from
each quoted-printable (QP) encoded MIME email attachment.
You can specify from 1 to 65535 bytes, or specify 0 to decode all QP encoded data in the packet.
Specify -1 to ignore QP encoded data. The preprocessor will not decode data when
Specify -1 to ignore QP encoded data. The preprocessor will not decode data when
Ignore Data
is
selected.