Cisco Cisco FirePOWER Appliance 7020
25-65
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding SMTP Traffic
Note
RCPT TO and MAIL FROM are SMTP commands. The preprocessor configuration uses
command names of RCPT and MAIL, respectively. Within the code, the preprocessor maps
RCPT and MAIL to the correct command name.
command names of RCPT and MAIL, respectively. Within the code, the preprocessor maps
RCPT and MAIL to the correct command name.
Step 11
If needed, click
Add
next to
Alt Max Command Line Len
to add commands where you want to specify an
alternate maximum command line length, then specify the line length and the command or commands,
separated by spaces, where you want that length to be enforced.
separated by spaces, where you want that length to be enforced.
Step 12
Specify any commands that you want to treat as invalid and detect in the
Invalid Commands
field. Separate
commands with spaces.
Step 13
Specify any commands that you want to treat as valid in the
Valid Commands
field. Separate commands
with spaces.
Note
Even if the
Valid Commands
list is empty, the preprocessor treats the following commands as valid:
ATRN, AUTH, BDAT, DATA, DEBUG, EHLO, EMAL, ESAM, ESND, ESOM, ETRN, EVFY,
EXPN, HELO, HELP, IDENT, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SOML, SEND,
ONEX, QUEU, STARTTLS, TICK, TIME, TURN, TURNME, VERB, VRFY, X-EXPS,
X-LINK2STATE, XADR, XAUTH, XCIR, XEXCH50, XGEN, XLICENSE, XQUE, XSTA,
XTRN, or XUSR.
EXPN, HELO, HELP, IDENT, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SOML, SEND,
ONEX, QUEU, STARTTLS, TICK, TIME, TURN, TURNME, VERB, VRFY, X-EXPS,
X-LINK2STATE, XADR, XAUTH, XCIR, XEXCH50, XGEN, XLICENSE, XQUE, XSTA,
XTRN, or XUSR.
Step 14
Specify any commands that you want to initiate sending data in the same way the SMTP DATA command
sends data per RFC 5321 in the
sends data per RFC 5321 in the
Data Commands
field. Separate commands with spaces.
Step 15
Specify any commands that initiate sending data in a way that is similar to how the BDAT command
sends data per RFC 3030 in the
sends data per RFC 3030 in the
Binary Data Commands
field. Separate commands with spaces.
Step 16
Specify any commands that initiate an authentication exchange between client and server in the
Authentication Commands
field. Separate commands with spaces.
Step 17
To detect packets that are part of X-Link2State Microsoft Exchange buffer data overflow attacks, select
Detect xlink2state
.
Step 18
To specify the maximum bytes of data to extract and decode for different types of email attachment,
specify a value for any of the following attachment types:
specify a value for any of the following attachment types:
•
Base64 Decoding Depth
•
7-Bit/8-Bit/Binary Decoding Depth
(includes various multipart content types such as plain text, jpeg
images, mp3 files, and so on)
•
Quoted-Printable Decoding Depth
•
Unix-to-Unix Decoding Depth
You can specify from 1 to 65535 bytes, or specify 0 to extract and, when necessary, decode all data in
the packet for that type. Specify -1 to ignore data for an attachment type.
the packet for that type. Specify -1 to ignore data for an attachment type.
You can use the
file_data
rule keyword in intrusion rules to inspect extracted data. See
for more information.
You must also select the SMTP
Stateful Inspection
option to extract and decode cross-packet data or data
crossing multiple TCP segments.
Step 19
Configure options for associating contextual information with intrusion events triggered by SMTP
traffic:
traffic:
•
To enable extraction of MIME attachment file names to associate with intrusion events, select
Log
MIME Attachment Names
.