Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

907

Using Application Layer Preprocessors

Decoding IMAP Traffic

Chapter 23

Selecting IMAP Preprocessor Options

ICENSE

: Protection

The following list describes the IMAP preprocessor options you can modify.
Note that decoding, or extraction when the MIME email attachment does not

require decoding, includes multiple attachments when present, and large

attachments that span multiple packets.
Note also that when the values for the Base64 Decoding Depth, 7-Bit/8-Bit/Binary

Decoding Depth, Quoted-Printable Decoding Depth, or Unix-to-Unix Decoding Depth

options are different in an intrusion policy associated with the default action of an

access control policy and intrusion policies associated with access control rules,

the highest value is used. See

information.
If no preprocessor rule is mentioned, the option is not associated with a

preprocessor rule.

Ports

Specifies the ports to inspect for IMAP traffic. You can specify an integer

from 0 to 65535. Separate multiple port numbers with commas.

IMPORTANT!

Any port you add to the IMAP port list should also be added to

the TCP client reassembly list for each TCP policy. For information on

configuring TCP reassembly ports, see

Base64 Decoding Depth

Specifies the maximum number of bytes to extract and decode from each

Base64 encoded MIME email attachment. You can specify from 1 to 65535

bytes, or specify 0 to decode all the Base64 data. Specify -1 to ignore Base64

data.
Note that positive values not divisible by 4 are rounded up to the next multiple

of 4 except for the values 65533, 65534, and 65535, which are rounded down

to 65532.
When Base64 decoding is enabled, you can enable rule 141:4 to generate an

event when decoding fails; decoding could fail, for example, because of

incorrect encoding or corrupted data.