Cisco Cisco Firepower Management Center 4000
25-39
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
information. See
for more information.
XFF Header Priority
When Extract Original Client IP Address is enabled, specifies the order in which the system
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click Add
to add up to sic additional Client IP header names to the priority list. Note that if multiple XFF
headers appear in an HTTP request, the value for the Original Client IP event field is the header with
the highest priority. You can use the up and down arrow icons beside each header type to adjust its
priority.
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click Add
to add up to sic additional Client IP header names to the priority list. Note that if multiple XFF
headers appear in an HTTP request, the value for the Original Client IP event field is the header with
the highest priority. You can use the up and down arrow icons beside each header type to adjust its
priority.
Log Hostname
Enables extraction of the host name, if present, from the HTTP request Host header and associates
the host name with all intrusion events generated for the session. When multiple Host headers are
present, extracts the host name from the first header.
the host name with all intrusion events generated for the session. When multiple Host headers are
present, extracts the host name from the first header.
When this option is enabled, you can display the first fifty characters of the extracted host name in
the HTTP Hostname column of the intrusion events table view. You can display the complete host
name, up to 256 bytes, in the packet view. See
the HTTP Hostname column of the intrusion events table view. You can display the complete host
name, up to 256 bytes, in the packet view. See
and
for more information.
You can enable rule 119:25 to generate events for this option. See
for more information.
Note that when the preprocessor and rule 119:24 are enabled, the preprocessor generates an
intrusion event if it detects multiple Host headers in an HTTP request, regardless of the setting for
this option. See
intrusion event if it detects multiple Host headers in an HTTP request, regardless of the setting for
this option. See
information.
Profile
Specifies the types of encoding that are normalized for HTTP traffic. The system provides a default
profile appropriate for most servers, default profiles for Apache servers and IIS servers, and custom
default settings that you can tailor to meet the needs of your monitored traffic. See
profile appropriate for most servers, default profiles for Apache servers and IIS servers, and custom
default settings that you can tailor to meet the needs of your monitored traffic. See
for more information.
Selecting Server-Level HTTP Normalization Encoding Options
License:
Protection
You can select server-level HTTP normalization options to specify the types of encoding that are
normalized for HTTP traffic, and to cause the system to generate events against traffic containing this
type of encoding.
normalized for HTTP traffic, and to cause the system to generate events against traffic containing this
type of encoding.
Note that the base36 encoding type has been deprecated. For backward compatibility, the base36 option
is allowed in existing intrusion policies, but it does not cause the system to detect base36 traffic.
is allowed in existing intrusion policies, but it does not cause the system to detect base36 traffic.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
ASCII Encoding
Decodes encoded ASCII characters and specifies whether the rules engine generates an event on
ASCII-encoded URIs.
ASCII-encoded URIs.
You can enable rule 119:1 to generate events for this option. See
for
more information.