Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
873
Using Application Layer Preprocessors
Decoding FTP and Telnet Traffic
Chapter 23
Note that the
default
setting in the default policy specifies all IP addresses
on your monitored network segment that are not covered by another
target-based policy. Therefore, you cannot and do not need to specify an IP
address or address block for the default policy, and you cannot leave this
setting blank in another policy or use address notation to represent
any
(for
example, 0.0.0.0/0 or ::/0).
Max Response Length
Use this option to specify the maximum length of a response string from the
FTP client.
You can enable rule 125:6 to generate events for this option. See
You can enable rule 125:6 to generate events for this option. See
on page 770 for more information.
Detect FTP Bounce Attempts
Use this option to detect FTP bounce attacks.
You can enable rule 125:8 to generate events for this option. See
You can enable rule 125:8 to generate events for this option. See
on page 770 for more information.
Allow FTP Bounce to
Use this option to configure a list of additional hosts and ports on those hosts
on which FTP PORT commands should not be treated as FTP bounce attacks.
Detect Telnet Escape Codes within FTP Commands
Use this option to detect when telnet commands are used over the FTP
command channel.
You can enable rule 125:1 to generate events for this option. See
You can enable rule 125:1 to generate events for this option. See
on page 770 for more information.
Ignore Erase Commands During Normalization
When Detect Telnet Escape Codes within FTP Commands is selected, use this
option to ignore telnet character and line erase commands when normalizing
FTP traffic.The setting should match how the FTP client handles telnet erase
commands. Note that newer FTP clients typically ignore telnet erase
commands, while older clients typically process them.