Cisco Cisco Firepower Management Center 4000
25-53
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding IMAP Traffic
•
If you want IMAP preprocessor rules to generate events, you must enable the rules. IMAP
preprocessor rules have a generator ID (GID) of 141. A link on the configuration page takes you to
a filtered view of IMAP preprocessor rules on the intrusion policy Rules page, where you can enable
and disable rules and configure other rule actions. See
preprocessor rules have a generator ID (GID) of 141. A link on the configuration page takes you to
a filtered view of IMAP preprocessor rules on the intrusion policy Rules page, where you can enable
and disable rules and configure other rule actions. See
information.
See the following sections for more information:
•
•
•
Selecting IMAP Preprocessor Options
License:
Protection
The following list describes the IMAP preprocessor options you can modify.
Note that decoding, or extraction when the MIME email attachment does not require decoding, includes
multiple attachments when present, and large attachments that span multiple packets.
multiple attachments when present, and large attachments that span multiple packets.
Note also that when the values for the
Base64 Decoding Depth
,
7-Bit/8-Bit/Binary Decoding Depth
,
Quoted-Printable Decoding Depth
, or
Unix-to-Unix Decoding Depth
options are different in an intrusion policy
associated with the default action of an access control policy and intrusion policies associated with
access control rules, the highest value is used. See
access control rules, the highest value is used. See
for more information.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Ports
Specifies the ports to inspect for IMAP traffic. You can specify an integer from 0 to 65535. Separate
multiple port numbers with commas.
multiple port numbers with commas.
Note
Any port you add to the IMAP port list should also be added to the TCP client reassembly
list for each TCP policy. For information on configuring TCP reassembly ports, see
list for each TCP policy. For information on configuring TCP reassembly ports, see
.
Base64 Decoding Depth
Specifies the maximum number of bytes to extract and decode from each Base64 encoded MIME
email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all the Base64 data.
Specify -1 to ignore Base64 data.
email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all the Base64 data.
Specify -1 to ignore Base64 data.
Note that positive values not divisible by 4 are rounded up to the next multiple of 4 except for the
values 65533, 65534, and 65535, which are rounded down to 65532.
values 65533, 65534, and 65535, which are rounded down to 65532.
When Base64 decoding is enabled, you can enable rule 141:4 to generate an event when decoding
fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
7-Bit/8-Bit/Binary Decoding Depth
Specifies the maximum bytes of data to extract from each MIME email attachment that does not
require decoding. These attachment types include 7-bit, 8-bit, binary, and various multipart content
types such as plain text, jpeg images, mp3 files, and so on. You can specify from 1 to 65535 bytes,
or specify 0 to extract all data in the packet. Specify -1 to ignore non-decoded data.
require decoding. These attachment types include 7-bit, 8-bit, binary, and various multipart content
types such as plain text, jpeg images, mp3 files, and so on. You can specify from 1 to 65535 bytes,
or specify 0 to extract all data in the packet. Specify -1 to ignore non-decoded data.