Cisco Cisco Firepower Management Center 4000
25-31
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
•
separating messages received from web servers into status code, status message, non-set-cookie
header, cookie header, and response body components to improve performance of HTTP-related
intrusion rules
header, cookie header, and response body components to improve performance of HTTP-related
intrusion rules
•
detecting possible URI-encoding attacks
•
making the normalized data available for additional rule processing
HTTP traffic can be encoded in a variety of formats, making it difficult for rules to appropriately inspect.
HTTP Inspect decodes 14 types of encoding, ensuring that your HTTP traffic gets the best inspection
possible.
HTTP Inspect decodes 14 types of encoding, ensuring that your HTTP traffic gets the best inspection
possible.
You can configure HTTP Inspect options globally, on a single server, or for a list of servers.
Note the following when using the HTTP Inspect preprocessor:
•
The preprocessor engine performs HTTP normalization statelessly. That is, it normalizes HTTP
strings on a packet-by-packet basis, and can only process HTTP strings that have been reassembled
by the TCP stream preprocessor.
strings on a packet-by-packet basis, and can only process HTTP strings that have been reassembled
by the TCP stream preprocessor.
The HTTP Inspect preprocessor requires TCP stream preprocessing. If TCP stream preprocessing is
disabled and you enable the preprocessor, you are prompted when you save the policy whether to
enable TCP stream preprocessing. See
disabled and you enable the preprocessor, you are prompted when you save the policy whether to
enable TCP stream preprocessing. See
and
for more information.
•
You must enable HTTP preprocessor rules, which have a generator ID (GID) of 119, if you want
these rules to generate events. A link on the configuration page takes you to a filtered view of HTTP
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
these rules to generate events. A link on the configuration page takes you to a filtered view of HTTP
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
for more information.
•
When a rule that requires this preprocessor is enabled in an intrusion policy where the preprocessor
is disabled, you must enable the preprocessor or choose to allow the system to enable it
automatically before you can save the policy. For more information, see
is disabled, you must enable the preprocessor or choose to allow the system to enable it
automatically before you can save the policy. For more information, see
See the following sections for more information:
•
•
•
•
•
•
Selecting Global HTTP Normalization Options
License:
Protection
The global HTTP options provided for the HTTP Inspect preprocessor control how the preprocessor
functions. Use these options to enable or disable HTTP normalization when ports not specified as web
server ports receive HTTP traffic.
functions. Use these options to enable or disable HTTP normalization when ports not specified as web
server ports receive HTTP traffic.
Note the following:
•
If you enable
Unlimited Decompression
, the
Maximum Compressed Data Depth
and
Maximum Decompressed
Data Depth
options are automatically set to 65535 when you commit your changes. See
for more information.