Cisco Cisco FirePOWER Appliance 8250
25-52
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding IMAP Traffic
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
GTP Command Channel Configuration
under Application Layer
Preprocessors is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The GTP Command Channel Configuration page appears.
Step 5
Optionally, modify the ports that the preprocessor inspects for GTP command messages. You can specify
an integer from 0 to 65535. Use commas to separate multiple ports.
an integer from 0 to 65535. Use commas to separate multiple ports.
Step 6
Optionally, click
Configure Rules for GTP Command Channel Configuration
at the top of the page to display
rules associated with individual options.
Click
Back
to return to the GTP Command Channel Configuration page.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Decoding IMAP Traffic
License:
Protection
The Internet Message Application Protocol (IMAP) is used to retrieve email from a remote IMAP server.
The IMAP preprocessor inspects server-to-client IMAP4 traffic and, when associated preprocessor rules
are enabled, generates events on anomalous traffic. The preprocessor can also extract and decode email
attachments in client-to-server IMAP4 traffic and send the attachment data to the rules engine. You can
use the
The IMAP preprocessor inspects server-to-client IMAP4 traffic and, when associated preprocessor rules
are enabled, generates events on anomalous traffic. The preprocessor can also extract and decode email
attachments in client-to-server IMAP4 traffic and send the attachment data to the rules engine. You can
use the
file_data
keyword in an intrusion rule to point to the attachment data. See
for more information.
Extraction and decoding include multiple attachments, when present, and large attachments that span
multiple packets.
multiple packets.
Note the following when using the IMAP preprocessor:
•
Because IMAP traffic is carried over TCP/IP connections, the IMAP preprocessor requires TCP
stream preprocessing. If TCP stream preprocessing is disabled and you enable the IMAP
preprocessor, you are prompted when you save the policy whether to enable TCP stream
preprocessing. See
stream preprocessing. If TCP stream preprocessing is disabled and you enable the IMAP
preprocessor, you are prompted when you save the policy whether to enable TCP stream
preprocessing. See
and
for more information.