Cisco Cisco FirePOWER Appliance 7020
25-55
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding IMAP Traffic
Note
Any port you add to the IMAP port list should also be added to the TCP client reassembly list
for each TCP policy. For information on configuring TCP reassembly ports, see
for each TCP policy. For information on configuring TCP reassembly ports, see
Step 6
Specify the maximum bytes of data to extract and decode from any combination of the following email
attachment types:
attachment types:
•
Base64 Decoding Depth
•
7-Bit/8-Bit/Binary Decoding Depth
(includes various multipart content types such as plain text, jpeg
images, mp3 files, and so on)
•
Quoted-Printable Decoding Depth
•
Unix-to-Unix Decoding Depth
For each type, you can specify from 1 to 65535 bytes, or specify 0 to extract and, when necessary, decode
all data in the packet. Specify -1 to ignore data for an attachment type.
all data in the packet. Specify -1 to ignore data for an attachment type.
You can use the
file_data
rule keyword in intrusion rules to inspect the attachment data. See
for more information.
Step 7
Optionally, click
Configure Rules for IMAP Configuration
at the top of the page to display rules associated
with individual options.
Click
Back
to return to the IMAP Configuration page.
Step 8
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Enabling Additional IMAP Preprocessor Rules
License:
Protection
The IMAP preprocessor rules in the following table are not associated with specific configuration
options. As with other IMAP preprocessor rules, you must enable these rules if you want them to
generate events. See
options. As with other IMAP preprocessor rules, you must enable these rules if you want them to
generate events. See
for information on enabling rules.
Table 25-10
Additional IMAP Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
141:1
Generates an event when the preprocessor detects a client command that is not
defined in RFC 3501.
defined in RFC 3501.
141:2
Generates an event when the preprocessor detects a server response that is not
defined in RFC 3501.
defined in RFC 3501.
141:3
Generates an event when the preprocessor is using the maximum amount of
memory allowed by the system. At this point, the preprocessor stops decoding
until memory becomes available.
memory allowed by the system. At this point, the preprocessor stops decoding
until memory becomes available.