Cisco Cisco FirePOWER Appliance 7020
C H A P T E R
25-1
FireSIGHT System User Guide
25
Using Application Layer Preprocessors
Application-layer protocols can represent the same data in a variety of ways. Cisco provides
application-layer protocol decoders that normalize specific types of packet data into formats that the
rules engine can analyze. Normalizing application-layer protocol encodings allows the rules engine to
effectively apply the same content-related rules to packets whose data is represented differently and
obtain meaningful results.
application-layer protocol decoders that normalize specific types of packet data into formats that the
rules engine can analyze. Normalizing application-layer protocol encodings allows the rules engine to
effectively apply the same content-related rules to packets whose data is represented differently and
obtain meaningful results.
Note that preprocessors do not generate events in most cases unless you enable the accompanying
preprocessor rules. See
preprocessor rules. See
for more information.
See the following sections for more information:
•
describes the DCE/RPC preprocessor and explains how to
configure it to prevent evasion attempts and detect anomalies in DCE/RPC traffic.
•
describes the DNS preprocessor
and explains how to configure it to detect any of three specific exploits in DNS name server
responses.
responses.
•
describes the FTP/Telnet decoder and explains how to
configure it to normalize and decode FTP and Telnet traffic.
•
describes the HTTP decoder and explains how to configure it
to normalize HTTP traffic.
•
describes the RPC decoder and explains how to
configure it to normalize RPC traffic.
•
explains how you can use the SIP preprocessor
to decode and detect anomalies in SIP traffic.
•
explains how you can use the GTP
preprocessor to provide the rules engine with GTP command channel messages extracted by the
packet decoder.
packet decoder.
•
explains how you can use the IMAP preprocessor to decode and
detect anomalies in IMAP traffic.
•
explains how you can use the POP preprocessor to decode and
detect anomalies in POP traffic.
•
describes the SMTP decoder and explains how to configure it
to decode and normalize SMTP traffic.
•
explains how to identify and process
exploits in SSH-encrypted traffic.