Cisco Cisco Firepower Management Center 4000
25-34
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
Ports
The ports whose HTTP traffic the preprocessor engine normalizes. Separate multiple port numbers
with commas.
with commas.
Note
Any port you add to the HTTP
Ports
list should also be added in each TCP policy to the
appropriate list of TCP reassembly ports, depending on whether you are monitoring client
or server traffic, or both. Note, however, that reassembling additional traffic types (client,
server, both) increases resource demands. For more information on configuring TCP
reassembly ports, see
or server traffic, or both. Note, however, that reassembling additional traffic types (client,
server, both) increases resource demands. For more information on configuring TCP
reassembly ports, see
.
Oversize Dir Length
Detects URL directories longer than the specified value.
You can enable rule 119:15 to generate events for this option. See
for more information.
Client Flow Depth
Specifies the number of bytes for rules to inspect in raw HTTP packets, including header and
payload data, in client-side HTTP traffic defined in
payload data, in client-side HTTP traffic defined in
Ports
. Client flow depth does not apply when
HTTP content rule options within a rule inspect specific parts of a request message. See
for more information.
You can specify a value from -1 to 1460. Cisco recommends that you set client flow depth to its
maximum value. Specify any of the following:
maximum value. Specify any of the following:
–
From 1 to 1460 inspects the specified number of bytes in the first packet. If the first packet
contains fewer bytes than specified, inspect the entire packet. Note that the specified value
applies to both segmented and reassembled packets.
contains fewer bytes than specified, inspect the entire packet. Note that the specified value
applies to both segmented and reassembled packets.
Note also that a value of 300 typically eliminates inspection of large HTTP Cookies that appear
at the end of many client request headers.
at the end of many client request headers.
–
0 inspects all client-side traffic, including multiple packets in a session and exceeding the 1460
byte limit if necessary. Note that this value is likely to affect performance.
byte limit if necessary. Note that this value is likely to affect performance.
–
-1 ignores all client-side traffic.
Server Flow Depth
Specifies the number of bytes for rules to inspect in raw HTTP packets in server-side HTTP traffic
specified by
specified by
Ports
. Inspection includes the raw header and payload when
Inspect HTTP Responses
disabled and only the raw response body when
Inspect HTTP Response
is enabled.
Server flow depth specifies the number of bytes of raw server response data in a session for rules to
inspect in server-side HTTP traffic defined in
inspect in server-side HTTP traffic defined in
Ports
. You can use this option to balance performance
and the level of inspection of HTTP server response data. Server flow depth does not apply when
HTTP content options within a rule inspect specific parts of a response message. See
HTTP content options within a rule inspect specific parts of a response message. See
for more information.
Unlike client flow depth, server flow depth specifies the number of bytes per HTTP response, not
per HTTP request packet, for rules to inspect.
per HTTP request packet, for rules to inspect.
You can specify a value from -1 to 65535. Cisco recommends that you set the server flow depth to
its maximum value. You can specify any of the following:
its maximum value. You can specify any of the following:
–
From 1 to 65535: