Cisco Cisco Firepower Management Center 2000
25-56
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding POP Traffic
Decoding POP Traffic
License:
Protection
The Post Office Protocol (POP) is used to retrieve email from a remote POP mail server. The POP
preprocessor inspects server-to-client POP3 traffic and, when associated preprocessor rules are enabled,
generates events on anomalous traffic. The preprocessor can also extract and decode email attachments
in client-to-server POP3 traffic and send the attachment data to the rules engine. You can use the
preprocessor inspects server-to-client POP3 traffic and, when associated preprocessor rules are enabled,
generates events on anomalous traffic. The preprocessor can also extract and decode email attachments
in client-to-server POP3 traffic and send the attachment data to the rules engine. You can use the
file_data
keyword in an intrusion rule to point to attachment data. See
for more information.
Extraction and decoding include multiple attachments, when present, and large attachments that span
multiple packets.
multiple packets.
Note the following when using the POP preprocessor:
•
Because POP traffic is carried over TCP/IP connections, the POP preprocessor requires TCP stream
preprocessing. If TCP stream preprocessing is disabled and you enable the POP preprocessor, you
are prompted when you save the policy whether to enable TCP stream preprocessing. See
preprocessing. If TCP stream preprocessing is disabled and you enable the POP preprocessor, you
are prompted when you save the policy whether to enable TCP stream preprocessing. See
and
for more information.
•
If you want POP preprocessor rules to generate events, you must enable the rules. POP preprocessor
rules have a generator ID (GID) of 142. A link on the configuration page takes you to a filtered view
of POP preprocessor rules on the intrusion policy Rules page, where you can enable and disable
rules and configure other rule actions. See
rules have a generator ID (GID) of 142. A link on the configuration page takes you to a filtered view
of POP preprocessor rules on the intrusion policy Rules page, where you can enable and disable
rules and configure other rule actions. See
for more information.
See the following sections for more information:
•
•
•
Selecting POP Preprocessor Options
License:
Protection
The following list describes the POP preprocessor options you can modify.
Note that decoding, or extraction when the MIME email attachment does not require decoding, includes
multiple attachments when present, and large attachments that span multiple packets.
multiple attachments when present, and large attachments that span multiple packets.
Note also that when the values for the
Base64 Decoding Depth
,
7-Bit/8-Bit/Binary Decoding Depth
,
Quoted-Printable Decoding Depth
, or
Unix-to-Unix Decoding Depth
options are different in an intrusion policy
associated with the default action of an access control policy and intrusion policies associated with
access control rules, the highest value is used. See
access control rules, the highest value is used. See
, and
for more information.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Ports
Specifies the ports to inspect for POP traffic. You can specify an integer from 0 to 65535. Separate
multiple port numbers with commas.
multiple port numbers with commas.