Telnet Options
You can enable or disable normalization of telnet commands by the FTP/Telnet decoder, enable or disable a specific anomaly case, and set the threshold number of Are You There (AYT) attacks to permit.
If no preprocessor rule is mentioned in the following descriptions, the option is not associated with a preprocessor rule.
Ports
Indicates the ports whose telnet traffic you want to normalize. Telnet typically connects to TCP port 23. In the interface, list multiple ports separated by commas.
Caution | Because encrypted traffic (SSL) cannot be decoded, adding port 22 (SSH) could yield unexpected results. |
Normalize
Normalizes telnet traffic to the specified ports.
Detect Anomalies
Enables detection of Telnet SB (subnegotiation begin) without the corresponding SE (subnegotiation end).
Telnet supports subnegotiation, which begins with SB (subnegotiation begin) and must end with an SE (subnegotiation end). However, certain implementations of Telnet servers will ignore the SB without a corresponding SE. This is anomalous behavior that could be an evasion case. Because FTP uses the Telnet protocol on the control connection, it is also susceptible to this behavior.
You can enable rule 126:3 to generate an event and, in an inline deployment, drop offending packets when this anomaly is detected in Telnet traffic, and rule 125:9 when it is detected on the FTP command channel. See Setting Intrusion Rule States.
Are You There Attack Threshold Number
Detects when the number of consecutive AYT commands exceeds the specified threshold. Cisco recommends that you set the AYT threshold to a value no higher than the default value.
You can enable rule 126:1 to generate events and, in an inline deployment, drop offending packets for this option. See Setting Intrusion Rule States.