Cisco Cisco Firepower Management Center 4000

Decodes standard UTF-8 Unicode sequences in the URI.

You can enable rule 119:6 to generate events for this option. See 

 for 

more information.

Decodes the IIS %u encoding scheme that uses %u followed by four characters, where the 4 
characters are a hex encoded value that correlates to an IIS Unicode codepoint.

Legitimate clients rarely use %u encodings, so Cisco recommends decoding HTTP traffic 
encoded with %u encodings.

You can enable rule 119:3 to generate events for this option. See 

 for 

more information.

Decodes bare byte encoding, which uses non-ASCII characters as valid values in decoding UTF-8 
values.

Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings 
correctly. Cisco recommends enabling this option because no legitimate clients encode UTF-8 
this way.

You can enable rule 119:4 to generate events for this option. See 

 for 

more information.

Decodes using Unicode codepoint mapping.

Cisco recommends enabling this option, because it is seen mainly in attacks and evasion 
attempts.

You can enable rule 119:7 to generate events for this option. See 

 for 

more information.

Decodes IIS double encoded traffic by making two passes through the request URI performing 
decodes in each one. Cisco recommends enabling this option because it is usually found only in 
attack scenarios.

You can enable rule 119:2 to generate events for this option. See 

 for 

more information.

Normalizes multiple slashes in a row into a single slash.

You can enable rule 119:8 to generate events for this option. See 

 for 

more information.