Last Updated on August 3, 2021 by Admin 3
Which of the following emailrelated FirePOWER preprocessors can extract and decode attachments in clienttoserver traffic? (Select the best answer.)
- only the IMAP preprocessor
- only the POP3 preprocessor
- only the SMTP preprocessor
- only the POP3 and SMTP preprocessors
- only the IMAP and SMTP preprocessors
- the IMAP, POP3, and SMTP preprocessors
Explanation:
On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), and Simple Mail Transfer Protocol (SMTP) preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP, POP3, and SMTP preprocessors are Application layer inspection engines with the capability to decode email traffic and to normalize the resulting data prior to forwarding the traffic to the intrusion rules engine for analysis.
In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated preprocessor engines can inspect the commands that pass between a client and a server to ensure that they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor can generate an event when either a client command or a server response does not comply with RFC 3501, which is the RFC that defines the IMAP protocol, and the POP3 preprocessor can do the same for commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol. By contrast, the SMTP preprocessor provides the ability to normalize all, none, or a specific set of SMTP commands, although a base set of commands will always be considered as part of the custom valid set if normalization is enabled.
On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), and Simple Mail Transfer Protocol (SMTP) preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP, POP3, and SMTP preprocessors are Application layer inspection engines with the capability to decode email traffic and to normalize the resulting data prior to forwarding the traffic to the intrusion rules engine for analysis.
In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated preprocessor engines can inspect the commands that pass between a client and a server to ensure that they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor can generate an event when either a client command or a server response does not comply with RFC 3501, which is the RFC that defines the IMAP protocol, and the POP3 preprocessor can do the same for commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol. By contrast, the SMTP preprocessor provides the ability to normalize all, none, or a specific set of SMTP commands, although a base set of commands will always be considered as part of the custom valid set if normalization is enabled.
Subscribe
Login
0 Comments