Cisco Cisco FirePOWER Appliance 7020
25-66
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Detecting Exploits Using the SSH Preprocessor
•
To enable extraction of recipient email addresses, select
Log To Addresses
.
•
To enable extraction of sender email addresses to associate with intrusion events, select
Log From
Addresses
.
•
To enable extraction of email headers to associate with intrusion events and for writing rules that
inspect email headers, select
inspect email headers, select
Log Headers
.
Note that header information is displayed in the intrusion event packet view. Note also that you can
also write intrusion rules that use the
also write intrusion rules that use the
content
keyword with email header data as a pattern. See
for more
information.
Optionally, you can specify a
Header Log Depth
of 0 to 20480 bytes of the email header to extract. A
value of 0 disables
Log Headers
.
Step 20
Optionally, click
Configure Rules for SMTP Configuration
at the top of the page to display rules associated
with individual options.
Click
Back
to return to the SMTP Configuration page.
Step 21
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Enabling SMTP Maximum Decoding Memory Alerting
License:
Protection
You can enable SMTP preprocessor rule 124:9 to generate an event when the enabled preprocessor is
using the maximum amount of memory allowed by the system for decoding the following types of
encoded data:
using the maximum amount of memory allowed by the system for decoding the following types of
encoded data:
•
Base64
•
7-bit/8-bit/binary
•
Quoted-printable
•
Unix-to-Unix
When the maximum decoding memory is exceeded, the preprocessor stops decoding these types of
encoded data until memory becomes available. This preprocessor rule is not associated with a single,
specific configuration option. See
encoded data until memory becomes available. This preprocessor rule is not associated with a single,
specific configuration option. See
for information on enabling rules.
Detecting Exploits Using the SSH Preprocessor
License:
Protection
The SSH preprocessor detects the Challenge-Response Buffer Overflow exploit, the CRC-32 exploit, the
SecureCRT SSH Client Buffer Overflow exploit, protocol mismatches, and incorrect SSH message
direction. The preprocessor also detects any version string other than version 1 or 2.
SecureCRT SSH Client Buffer Overflow exploit, protocol mismatches, and incorrect SSH message
direction. The preprocessor also detects any version string other than version 1 or 2.
Both Challenge-Response Buffer Overflow and CRC-32 attacks occur after the key exchange and are,
therefore, encrypted. Both attacks send an uncharacteristically large payload of more than 20 KBytes to
the server immediately after the authentication challenge. CRC-32 attacks apply only to SSH Version 1;
therefore, encrypted. Both attacks send an uncharacteristically large payload of more than 20 KBytes to
the server immediately after the authentication challenge. CRC-32 attacks apply only to SSH Version 1;