Esmtp Inspection - Cisco FirePOWER ASA 5500 series Configuration Manual

ESMTP Inspection

ESMTP Inspection
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer
overflow/underflow attacks. It also provides support for application security and protocol conformance,
which enforce the sanity of the ESMTP messages as well as detect several attacks, block
senders/receivers, and block mail relay.
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You
can then apply the inspection policy map when you enable ESMTP inspection according to the
"Configuring Application Inspection" section on page
To create an ESMTP inspection policy map, perform the following steps:
Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the
"Creating a Regular Expression" section on page
commands described in
(Optional) Create one or more regular expression class maps to group regular expressions according to
Step 2
the
Create an ESMTP inspection policy map, enter the following command:
Step 3
hostname(config)# policy-map type inspect esmtp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
(Optional) To add a description to the policy map, enter the following command:
Step 4
hostname(config-pmap)# description string
To apply actions to matching traffic, perform the following steps.
Step 5
a.
b.
Cisco Security Appliance Command Line Configuration Guide
25-24
Step 3.
"Creating a Regular Expression Class Map" section on page
Specify the traffic on which you want to perform actions using one of the following methods:
Specify the ESMTP class map that you created in
•
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
Specify traffic directly in the policy map using one of the match commands described in
•
If you use a match not command, then any traffic that does not match the criterion in the match
not command has the action applied.
Specify the action you want to perform on the matching traffic by entering the following command:
hostname(config-pmap-c)# {[drop [send-protocol-error] |
drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate}
Not all options are available for each match or class command. See the CLI help or the Cisco
Security Appliance Command Reference for the exact options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
Chapter 25 Configuring Application Layer Protocol Inspection
25-5.
21-6. See the types of text you can match in the match
21-8.
Step 3 by entering the following command:
Step 3.
OL-10088-01