Cisco Cisco Firepower Management Center 4000

Page of 1844
 
25-38
FireSIGHT System User Guide
 
Chapter 25      Using Application Layer Preprocessors 
  Decoding HTTP Traffic
Normalize Javascript
When 
Inspect HTTP Responses
 is enabled, enables detection and normalization of Javascript within the 
HTTP response body. The preprocessor normalizes obfuscated Javascript data such as the unescape 
and decodeURI functions and the String.fromCharCode method. The preprocessor normalizes the 
following encodings within the unescape, decodeURI, and decodeURIComponent functions:
  –
%XX
  –
%uXXXX
  –
0xXX
  –
\xXX
  –
\uXXXX
The preprocessor detects consecutive white spaces and normalizes them into a single space. When 
this option is enabled, a configuration field allows you to specify the maximum number of 
consecutive white spaces to permit in obfuscated Javascript data. You can enter a value from 1 to 
65535. The value 0 disables event generation, regardless of whether the preprocessor rule (120:10) 
associated with this field is enabled.
The preprocessor also normalizes the Javascript plus (+) operator and concatenates strings using the 
operator.
You can use the 
file_data
 keyword to point intrusion rules to the normalized Javascript data. See 
 for more information.
You can enable rules 120:9, 120:10, and 120:11 to generate events for this option, as follows:
See 
 for more information.
Extract Original Client IP Address
Enables extraction of the original client IP address from the X-Forwarded-For (XFF) or 
True-Client-IP HTTP header. You can display the extracted original client IP address in the intrusion 
events table view. See 
 for more information.
You can enable rules 119:23, 119:29 and 119:30 to generate events for this option. See 
 for more information.
Log URI
The original client IP address that was extracted from an X-Forwarded-For (XFF), True-Client-IP, 
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP 
preprocessor Extract Original Client IP Address option in the network analysis policy. Optionally, 
in the same area of the network analysis policy, you can also specify up to six custom client IP 
headers, as well as set the priority order in which the system selects the value for the Original Client 
IP event field. See Selecting Server-Level HTTP Normalization Options, page 25-618 for more 
Table 25-6
Normalize Javascript Option Rules 
This rule...
Triggers an event when...
120:9
the obfuscation level within the preprocessor is greater than or equal to 2.
120:10
the number of consecutive white spaces in the Javascript obfuscated data is 
greater than or equal to the value configured for the maximum number of 
consecutive white spaces allowed.
120:11
escaped or encoded data includes more than one type of encoding.