Cisco Cisco FirePOWER Appliance 7020
25-47
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding the Session Initiation Protocol
•
optionally ignoring the call channel
The preprocessor identifies the RTP channel based on the port identified in the SDP message, which is
embedded in the SIP message body, but the preprocessor does not provide RTP protocol inspection.
embedded in the SIP message body, but the preprocessor does not provide RTP protocol inspection.
Note the following when using the SIP preprocessor:
•
UDP typically carries media sessions supported by SIP. UDP stream preprocessing provides SIP
session tracking for the SIP preprocessor. UDP session tracking must be enabled before you can save
a policy with the SIP preprocessor enabled. See
session tracking for the SIP preprocessor. UDP session tracking must be enabled before you can save
a policy with the SIP preprocessor enabled. See
for more information.
•
SIP rule keywords allow you to point to the SIP packet header or message body and to limit detection
to packets for specific SIP methods or status codes. For more information, see
to packets for specific SIP methods or status codes. For more information, see
•
When enabled, the preprocessor generates no events before sending the extracted data to the rules
engine unless you also enable the accompanying rules with generator ID (GID) 140. A link on the
configuration page takes you to a filtered view of SIP preprocessor rules on the intrusion policy
Rules page, where you can enable and disable rules and configure other rule actions. See
engine unless you also enable the accompanying rules with generator ID (GID) 140. A link on the
configuration page takes you to a filtered view of SIP preprocessor rules on the intrusion policy
Rules page, where you can enable and disable rules and configure other rule actions. See
for more information.
•
When a shared object rule or standard text rule that requires this preprocessor is enabled in an
intrusion policy where the preprocessor is disabled, you must enable the preprocessor or choose to
allow the system to enable it automatically before you can save the policy. For more information,
see
intrusion policy where the preprocessor is disabled, you must enable the preprocessor or choose to
allow the system to enable it automatically before you can save the policy. For more information,
see
.
See the following sections for more information:
•
•
•
Selecting SIP Preprocessor Options
License:
Protection
The following list describes SIP preprocessor options you can modify.
For the
Maximum Request URI Length
,
Maximum Call ID Length
,
Maximum Request Name Length
,
Maximum From
Length
,
Maximum To Length
,
Maximum Via Length
,
Maximum Contact Length
, and
Maximum Content Length
options, you can specify from 1 to 65535 bytes, or 0 to disable event generation for the option regardless
of whether the associated rule is enabled.
of whether the associated rule is enabled.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Ports
Specifies the ports to inspect for SIP traffic. You can specify an integer from 0 to 65535. Separate
multiple port numbers with commas.
multiple port numbers with commas.
Methods to Check
Specifies SIP methods to detect. You can specify any of the following currently defined SIP
methods:
methods:
ack, benotify, bye, cancel, do, info, invite, join, message,
notify, options, prack, publish, quath, refer, register,
service, sprack, subscribe, unsubscribe, update