Cisco Cisco Firepower Management Center 2000
25-22
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding FTP and Telnet Traffic
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration.
See
See
for more information.
Tip
For more information on configuring the other options on this page, see
Step 5
Optionally, you can modify any of the following under
Telnet Settings
:
•
Specify the port or ports where telnet traffic should be decoded in the
Ports
field. Telnet typically
connects to TCP port 23. Separate multiple ports with commas.
Add the same list of ports indicated here to the TCP client reassembly port list. For more information
on configuring TCP reassembly ports, see
on configuring TCP reassembly ports, see
Caution
Because encrypted traffic (SSL) cannot be decoded, adding port 22 (SSH) could yield unexpected
results.
results.
•
Select or clear the
Normalize
Telnet Protocol Options check box to enable or disable telnet
normalization.
•
Select or clear the
Detect Anomalies
Telnet Protocol Options check box to enable or disable anomaly
detection.
•
Specify an
Are You There Attack Threshold Number
of consecutive AYT commands to permit.
Tip
Cisco recommends that you set the AYT threshold to a value no higher than the default value.
Step 6
Optionally, click
Configure Rules for FTP and Telnet Configuration
at the top of the page to display rules
associated with individual options.
Click
Back
to return to the FTP and Telnet Configuration page.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Understanding Server-Level FTP Options
License:
Protection
You can set options for decoding on multiple FTP servers. Each server profile you create contains the
server IP address and the ports on the server where traffic should be monitored. You can specify which
FTP commands to validate and which to ignore for a particular server, and set maximum parameter
lengths for commands. You can also set the specific command syntax the decoder should validate against
for particular commands and set alternate maximum command parameter lengths.
server IP address and the ports on the server where traffic should be monitored. You can specify which
FTP commands to validate and which to ignore for a particular server, and set maximum parameter
lengths for commands. You can also set the specific command syntax the decoder should validate against
for particular commands and set alternate maximum command parameter lengths.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Networks
Use this option to specify one or more IP addresses of FTP servers.