25-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 25 Configuring Application Layer Protocol Inspection
ESMTP Inspection
ESMTP Inspection
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer
overflow/underflow attacks. It also provides support for application security and protocol conformance,
which enforce the sanity of the ESMTP messages as well as detect several attacks, block
senders/receivers, and block mail relay.
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You
can then apply the inspection policy map when you enable ESMTP inspection according to the
“Configuring Application Inspection” section on page 25-5.
To create an ESMTP inspection policy map, perform the following steps:
Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the
“Creating a Regular Expression” section on page 21-6. See the types of text you can match in the match
commands described in Step 3.
Step 2 (Optional) Create one or more regular expression class maps to group regular expressions according to
the “Creating a Regular Expression Class Map” section on page 21-8.
Step 3 Create an ESMTP inspection policy map, enter the following command:
hostname(config)# policy-map type inspect esmtp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 4 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 5 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
• Specify the ESMTP class map that you created in Step 3 by entering the following command:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
• Specify traffic directly in the policy map using one of the match commands described in Step 3.
If you use a match not command, then any traffic that does not match the criterion in the match
not command has the action applied.
b. Specify the action you want to perform on the matching traffic by entering the following command:
hostname(config-pmap-c)# {[drop [send-protocol-error] |
drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate}
Not all options are available for each match or class command. See the CLI help or the Cisco
Security Appliance Command Reference for the exact options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
To Next Page
Loading...
Need help?
General