Configuring the FTP/Telnet Decoder

Note

This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

You can configure client profiles for FTP clients to monitor FTP traffic from clients.

Before you begin

  • Confirm that any networks you want to identify in a custom target-based policy match or are a subset of the networks, zones, and VLANs handled by its parent network analysis policy. See Advanced Settings for Network Analysis Policies for more information.

Procedure

Step 1

Choose Policies > Access Control, then click Network Analysis Policy or Policies > Access Control > Intrusion, then click Network Analysis Policies.

Note

If your custom user role limits access to the first path listed here, use the second path to access the policy.

Step 2

Click Snort 2 Version next to the policy you want to edit.

Step 3

Click Edit (edit icon) next to the policy you want to edit.

If View (View button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Settings in the navigation panel.

Step 5

If FTP and Telnet Configuration under Application Layer Preprocessors is disabled, click Enabled.

Step 6

Click Edit (edit icon) next to FTP and Telnet Configuration.

Step 7

Set options in the Global Settings section as described in Global FTP and Telnet Options.

Step 8

Set options in the Telnet Settings section as described in Telnet Options.

Step 9

Manage FTP server profiles:

  • Add a server profile — Click Add (add icon) next to FTP Server. Specify one or more IP addresses for the client in the Server Address field and click OK. You can specify a single IP address or address block, or a comma-separated list of either or both. You can specify up to 1024 characters, and you can configure up to 255 policies, including the default policy.
  • Edit a server profile — Click the configured address for a custom profile under FTP Server, or click default. You can modify the settings in the Configuration section; see Server-Level FTP Options.
  • Delete a server profile — Click Delete (delete icon) next to the profile.

Step 10

Manage FTP client profiles:

  • Add a client profile — Click Add (add icon) next to FTP Client. Specify one or more IP addresses for the client in the Client Address field and click OK. You can specify a single IP address or address block, or a comma-separated list of either or both. You can specify up to 1024 characters, and you can configure up to 255 policies, including the default policy.
  • Edit a client profile — Click the configured address for a profile you have added under FTP Client, or click default. You can modify the settings in the Configuration page area; see Client-Level FTP Options.
  • Delete a client profile — Click Delete (delete icon) next to a custom profile.

Step 11

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, cached changes since the last commit are discarded if you edit a different policy.

What to do next

  • If you want to generate intrusion events, enable FTP and telnet preprocessor rules (GID 125 and 126). For more information, see Setting Intrusion Rule States.

  • Deploy configuration changes.