Which of the following can the FirePOWER IMAP preprocessor extract in clienttoserver traffic? (Select the best answer.)
- file names
- header data
On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP) preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP preprocessor is an Application layer inspection engine with the capability to decode email traffic and to normalize the resulting data prior to forwarding the traffic to the intrusion rules engine for analysis. Cisco also provides Post Office Protocol version 3 (POP3) and Simple Mail Transfer Protocol (SMTP) preprocessors.
In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated preprocessor engines can inspect the commands that pass between a client and a server to ensure that they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor can generate an event when either a client command or a server response does not comply with RFC 3501, which is the RFC that defines the IMAP protocol, and the POP3 preprocessor can do the same for commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol.
By contrast, the SMTP preprocessor provides the ability to normalize all, none, or a specific set of SMTP commands, although a base set of commands will always be considered as part of the custom valid set if normalization is enabled. In addition, the SMTP preprocessor can extract email file names, addresses, and header data.