Cisco Cisco Firepower Management Center 4000
25-40
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
UTF-8 Encoding
Decodes standard UTF-8 Unicode sequences in the URI.
You can enable rule 119:6 to generate events for this option. See
for
more information.
Microsoft %U Encoding
Decodes the IIS %u encoding scheme that uses %u followed by four characters, where the 4
characters are a hex encoded value that correlates to an IIS Unicode codepoint.
characters are a hex encoded value that correlates to an IIS Unicode codepoint.
Tip
Legitimate clients rarely use %u encodings, so Cisco recommends decoding HTTP traffic
encoded with %u encodings.
encoded with %u encodings.
You can enable rule 119:3 to generate events for this option. See
for
more information.
Bare Byte UTF-8 Encoding
Decodes bare byte encoding, which uses non-ASCII characters as valid values in decoding UTF-8
values.
values.
Tip
Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings
correctly. Cisco recommends enabling this option because no legitimate clients encode UTF-8
this way.
correctly. Cisco recommends enabling this option because no legitimate clients encode UTF-8
this way.
You can enable rule 119:4 to generate events for this option. See
for
more information.
Microsoft IIS Encoding
Decodes using Unicode codepoint mapping.
Tip
Cisco recommends enabling this option, because it is seen mainly in attacks and evasion
attempts.
attempts.
You can enable rule 119:7 to generate events for this option. See
for
more information.
Double Encoding
Decodes IIS double encoded traffic by making two passes through the request URI performing
decodes in each one. Cisco recommends enabling this option because it is usually found only in
attack scenarios.
decodes in each one. Cisco recommends enabling this option because it is usually found only in
attack scenarios.
You can enable rule 119:2 to generate events for this option. See
for
more information.
Multi-Slash Obfuscation
Normalizes multiple slashes in a row into a single slash.
You can enable rule 119:8 to generate events for this option. See
for
more information.