Cisco Cisco Firepower Management Center 4000
25-63
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding SMTP Traffic
When quoted-printable decoding is enabled, you can enable rule 124:11 to generate an event when
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
for more information.
Unix-to-Unix Decoding Depth
When
Ignore Data
is disabled, specifies the maximum number of bytes to extract and decode from
each Unix-to-Unix encoded (uuencoded) email attachment. You can specify from 1 to 65535 bytes,
or specify 0 to decode all uuencoded data in the packet. Specify -1 to ignore uuencoded data. The
preprocessor will not decode data when
or specify 0 to decode all uuencoded data in the packet. Specify -1 to ignore uuencoded data. The
preprocessor will not decode data when
Ignore Data
is selected.
When Unix-to-Unix decoding is enabled, you can enable rule 124:13 to generate an event when
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
for more information.
Log MIME Attachment Names
Enables extraction of MIME attachment file names from the MIME Content-Disposition header and
associates the file names with all intrusion events generated for the session. Multiple file names are
supported.
associates the file names with all intrusion events generated for the session. Multiple file names are
supported.
When this option is enabled, you can view file names associated with events in the Email
Attachment column of the intrusion events table view. See
Attachment column of the intrusion events table view. See
for more information.
Log To Addresses
Enables extraction of recipient email addresses from the SMTP RCPT TO command and associates
the recipient addresses with all intrusion events generated for the session. Multiple recipients are
supported.
the recipient addresses with all intrusion events generated for the session. Multiple recipients are
supported.
When this option is enabled, you can view recipients associated with events in the Email Recipient
column of the intrusion events table view. See
column of the intrusion events table view. See
for more
information.
Log From Addresses
Enables extraction of sender email addresses from the SMTP MAIL FROM command and associates
the sender addresses with all intrusion events generated for the session. Multiple sender addresses
are supported.
the sender addresses with all intrusion events generated for the session. Multiple sender addresses
are supported.
When this option is enabled, you can view senders associated with events in the Email Sender
column of the intrusion events table view. See
column of the intrusion events table view. See
for more
information.
Log Headers
Enables extraction of email headers. The number of bytes to extract is determined by the value
specified for
specified for
Header Log Depth
.
You can use the
content
keyword to write intrusion rules that use email header data as a pattern.
You can also view the extracted email header in the intrusion event packet view. See
and
for more information.
Header Log Depth
Specifies the number of bytes of the email header to extract when
Log Headers
is enabled. You can
specify 0 to 20480 bytes. A value of 0 disables
Log Headers
.