Cisco Cisco Firepower Management Center 4000
25-32
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
•
If the values for the
Maximum Compressed Data Depth
and
Maximum Decompressed Data Depth
options are
different in an intrusion policy associated with the default action of an access control policy and
intrusion policies associated with access control rules, the highest value is used. See
intrusion policies associated with access control rules, the highest value is used. See
, and
for more information.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Detect Anomalous HTTP Servers
Detects HTTP traffic sent to or received by ports not specified as web server ports.
Note
If you turn this option on, make sure to list all ports that do receive HTTP traffic in a server
profile on the HTTP Configuration page. If you do not, and you have enabled this option and
the accompanying preprocessor rule, normal traffic to and from the server will generate
events. The default server profile contains all ports normally used for HTTP traffic, but if
you modified that profile, you may need to add those ports to another profile to prevent
events from being generated.
profile on the HTTP Configuration page. If you do not, and you have enabled this option and
the accompanying preprocessor rule, normal traffic to and from the server will generate
events. The default server profile contains all ports normally used for HTTP traffic, but if
you modified that profile, you may need to add those ports to another profile to prevent
events from being generated.
You can enable rule 120:1 to generate events for this option. See
for
more information.
Detect HTTP Proxy Servers
Detects HTTP traffic using proxy servers not defined by the
Allow HTTP Proxy Use
option.
You can enable rule 119:17 to generate events for this option. See
for more information.
Maximum Compressed Data Depth
Sets the maximum size of compressed data to decompress when
Inspect Compressed Data
is enabled.
You can specify from 1 to 65535 bytes.
Maximum Decompressed Data Depth
Sets the maximum size of the normalized decompressed data when
Inspect Compressed Data
is
enabled. You can specify from 1 to 65535 bytes.
Configuring Global HTTP Configuration Options
License:
Protection
You can configure detection of HTTP traffic to non-standard ports and on HTTP traffic using proxy
servers. For more information on global HTTP configuration options, see
servers. For more information on global HTTP configuration options, see
.
To configure global HTTP configuration options:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.