Cisco Cisco Firepower Management Center 4000
25-41
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
IIS Backslash Obfuscation
Normalizes backslashes to forward slashes.
You can enable rule 119:9 to generate events for this option. See
for
more information.
Directory Traversal
Normalizes directory traversals and self-referential directories. If you enable the accompanying
preprocessor rules to generate events against this type of traffic, it may generate false positives
because some web sites refer to files using directory traversals.
preprocessor rules to generate events against this type of traffic, it may generate false positives
because some web sites refer to files using directory traversals.
You can enable rules 119:10 and 119:11 to generate events for this option. See
for more information.
Tab Obfuscation
Normalizes the non-RFC standard of using a tab for a space delimiter. Apache and other non-IIS
web servers use the tab character (0x09) as a delimiter in URLs.
web servers use the tab character (0x09) as a delimiter in URLs.
Note
Regardless of the configuration for this option, the HTTP Inspect preprocessor treats a tab
as white space if a space character (0x20) precedes it.
as white space if a space character (0x20) precedes it.
You can enable rule 119:12 to generate events for this option. See
for more information.
Invalid RFC Delimiter
Normalizes line breaks (\n) in URI data.
You can enable rule 119:13 to generate events for this option. See
for more information.
Webroot Directory Traversal
Detects directory traversals that traverse past the initial directory in the URL.
You can enable rule 119:18 to generate events for this option. See
for more information.
Tab URI Delimiter
Turns on the use of the tab character (0x09) as a delimiter for a URI. Apache, newer versions of IIS,
and some other web servers use the tab character as a delimiter in URLs.
and some other web servers use the tab character as a delimiter in URLs.
Note
Regardless of the configuration for this option, the HTTP Inspect preprocessor treats a tab
as white space if a space character (0x20) precedes it.
as white space if a space character (0x20) precedes it.
Non-RFC characters
Detects the non-RFC character list you add in the corresponding field when it appears within
incoming or outgoing URI data. When modifying this field, use the hexadecimal format that
represents the byte character. If and when you configure this option, set the value with care. Using
a character that is very common may overwhelm you with events.
incoming or outgoing URI data. When modifying this field, use the hexadecimal format that
represents the byte character. If and when you configure this option, set the value with care. Using
a character that is very common may overwhelm you with events.
You can enable rule 119:14 to generate events for this option. See
for more information.