Cisco Cisco FirePOWER Appliance 7010
25-44
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Using the Sun RPC Preprocessor
Step 13
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Enabling Additional HTTP Inspect Preprocessor Rules
License:
Protection
You can enable the rules in the
Preprocessor Rule GID:SID
column of the following table to generate events
for HTTP Inspect preprocessor rules that are not associated with specific configuration options. See
for more information.
Using the Sun RPC Preprocessor
License:
Protection
RPC (Remote Procedure Call) normalization takes fragmented RPC records and normalizes them to a
single record so the rules engine can inspect the complete record. For example, an attacker may attempt
to discover the port where RPC
single record so the rules engine can inspect the complete record. For example, an attacker may attempt
to discover the port where RPC
admind
runs. Some UNIX hosts use RPC
admind
to perform remote
distributed system tasks. If the host performs weak authentication, a malicious user could take control
of remote administration. The standard text rule (generator ID: 1) with the Snort ID (SID) 575 detects
this attack by searching for content in specific locations to identify inappropriate
of remote administration. The standard text rule (generator ID: 1) with the Snort ID (SID) 575 detects
this attack by searching for content in specific locations to identify inappropriate
portmap GETPORT
requests.
Ports
Specify the ports whose traffic you want to normalize. In the interface, list multiple ports separated
by commas. Typical RPC ports are 111 and 32771. If your network sends RPC traffic to other ports,
consider adding them.
by commas. Typical RPC ports are 111 and 32771. If your network sends RPC traffic to other ports,
consider adding them.
Table 25-7
Additional HTTP Inspect Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
120:5
Generates an event when UTF-7 encoding is encountered in HTTP response
traffic; UTF-7 should only appear where 7-bit parity is required, such as in SMTP
traffic.
traffic; UTF-7 should only appear where 7-bit parity is required, such as in SMTP
traffic.
119:21
Generates an event when an HTTP request header has more than one
content-length
field.
119:24
Generates an event when an HTTP request has more than one Host header.
119:28
120:8
When enabled, these rules do not generate events.
119:32
Generates an event when HTTP version 0.9 is encountered in traffic. Note that the
TCP stream configuration must also be enabled. See
TCP stream configuration must also be enabled. See
.
119:33
Generates an event when an HTTP URI includes an unescaped space.
119:34
Generates an event when a TCP connection contains 24 or more pipelined HTTP
requests.
requests.