Cisco Cisco Firepower Management Center 4000
25-21
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding FTP and Telnet Traffic
Normalize
Normalizes telnet traffic to the specified ports.
Detect Anomalies
Enables detection of Telnet SB (subnegotiation begin) without the corresponding SE
(subnegotiation end).
(subnegotiation end).
Telnet supports subnegotiation, which begins with SB (subnegotiation begin) and must end with an
SE (subnegotiation end). However, certain implementations of Telnet servers will ignore the SB
without a corresponding SE. This is anomalous behavior that could be an evasion case. Because FTP
uses the Telnet protocol on the control connection, it is also susceptible to this behavior.
SE (subnegotiation end). However, certain implementations of Telnet servers will ignore the SB
without a corresponding SE. This is anomalous behavior that could be an evasion case. Because FTP
uses the Telnet protocol on the control connection, it is also susceptible to this behavior.
You can enable rule 126:3 to generate an event when this anomaly is detected in Telnet traffic, and
rule 125:9 when it is detected on the FTP command channel. See
rule 125:9 when it is detected on the FTP command channel. See
for more information.
Are You There Attack Threshold Number
Detects when the number of consecutive AYT commands exceeds the specified threshold. Cisco
recommends that you set the AYT threshold to a value no higher than 20.
recommends that you set the AYT threshold to a value no higher than 20.
You can enable rule 126:1 to generate events for this option. See
for
more information.
Configuring Telnet Options
License:
Protection
You can enable or disable normalization, enable or disable a specific anomaly case, and control the
threshold number of Are You There (AYT) attacks to permit. For additional information on telnet
options, see
threshold number of Are You There (AYT) attacks to permit. For additional information on telnet
options, see
.
To configure telnet options:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
FTP and Telnet Configuration
under Application Layer
Preprocessors is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The FTP and Telnet Configuration page appears.