Cisco Cisco FirePOWER Appliance 7020
25-57
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding POP Traffic
Note
Any port you add to the POP port list should also be added to the TCP client reassembly list for
each TCP policy. For information on configuring TCP reassembly ports, see
each TCP policy. For information on configuring TCP reassembly ports, see
Base64 Decoding Depth
Specifies the maximum number of bytes to extract and decode from each Base64 encoded MIME
email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all the Base64 data.
Specify -1 to ignore Base64 data.
email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all the Base64 data.
Specify -1 to ignore Base64 data.
Note that positive values not divisible by 4 are rounded up to the next multiple of 4 except for the
values 65533, 65534, and 65535, which are rounded down to 65532.
values 65533, 65534, and 65535, which are rounded down to 65532.
When Base64 decoding is enabled, you can enable rule 142:4 to generate an event when decoding
fails; decoding could fail, for example, because of incorrect encoding or corrupted data. See
fails; decoding could fail, for example, because of incorrect encoding or corrupted data. See
for more information.
7-Bit/8-Bit/Binary Decoding Depth
Specifies the maximum bytes of data to extract from each MIME email attachment that does not
require decoding. These attachment types include 7-bit, 8-bit, binary, and various multipart content
types such as plain text, jpeg images, mp3 files, and so on. You can specify from 1 to 65535 bytes,
or specify 0 to extract all data in the packet. Specify -1 to ignore non-decoded data.
require decoding. These attachment types include 7-bit, 8-bit, binary, and various multipart content
types such as plain text, jpeg images, mp3 files, and so on. You can specify from 1 to 65535 bytes,
or specify 0 to extract all data in the packet. Specify -1 to ignore non-decoded data.
Quoted-Printable Decoding Depth
Specifies the maximum number of bytes to extract and decode from each quoted-printable (QP)
encoded MIME email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all
QP encoded data in the packet. Specify -1 to ignore QP encoded data.
encoded MIME email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all
QP encoded data in the packet. Specify -1 to ignore QP encoded data.
When quoted-printable decoding is enabled, you can enable rule 142:6 to generate an event when
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
for more information.
Unix-to-Unix Decoding Depth
Specifies the maximum number of bytes to extract and decode from each Unix-to-Unix encoded
(uuencoded) email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all
uuencoded data in the packet. Specify -1 to ignore uuencoded data.
(uuencoded) email attachment. You can specify from 1 to 65535 bytes, or specify 0 to decode all
uuencoded data in the packet. Specify -1 to ignore uuencoded data.
When Unix-to-Unix decoding is enabled, you can enable rule 142:7 to generate an event when
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
decoding fails; decoding could fail, for example, because of incorrect encoding or corrupted data.
See
for more information.
Configuring the POP Preprocessor
License:
Protection
Use the following procedure to configure the POP preprocessor. For additional information on POP
preprocessor configuration options, see
preprocessor configuration options, see
.
To configure the POP preprocessor:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.