Cisco Cisco FirePOWER Appliance 8130
25-58
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding POP Traffic
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved advanced editor changes in another policy, click
OK
to discard those changes and
continue. See
for information on saving unsaved
changes in another policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
POP Configuration
under Application Layer Preprocessors is
enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The POP Configuration page appears. A message at the bottom of the page identifies the intrusion policy
layer that contains the configuration. See
layer that contains the configuration. See
for more
information.
Step 5
Specify the
Ports
where IMAP traffic should be decoded. Separate multiple port numbers with commas.
Note
Any port you add to the POP port list should also be added to the TCP client reassembly list for
each TCP policy. For information on configuring TCP reassembly ports, see
each TCP policy. For information on configuring TCP reassembly ports, see
Step 6
Specify the maximum bytes of data to extract and decode from any combination of the following email
attachment types:
attachment types:
•
Base64 Decoding Depth
•
7-Bit/8-Bit/Binary Decoding Depth
(includes various multipart content types such as plain text, jpeg
images, mp3 files, and so on)
•
Quoted-Printable Decoding Depth
•
Unix-to-Unix Decoding Depth
For each type, you can specify from 1 to 65535 bytes, or specify 0 to extract and, when necessary, decode
all data in the packet. Specify -1 to ignore data for an attachment type.
all data in the packet. Specify -1 to ignore data for an attachment type.
You can use the
file_data
rule keyword in intrusion rules to inspect the attachment data. See
for more information.
Step 7
Optionally, click
Configure Rules for POP Configuration
at the top of the page to display rules associated with
individual options.
Click
Back
to return to the POP Configuration page.
Step 8
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Enabling Additional POP Preprocessor Rules
License:
Protection