Cisco Cisco FirePOWER Appliance 8360
25-38
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
Normalize Javascript
When
Inspect HTTP Responses
is enabled, enables detection and normalization of Javascript within the
HTTP response body. The preprocessor normalizes obfuscated Javascript data such as the unescape
and decodeURI functions and the String.fromCharCode method. The preprocessor normalizes the
following encodings within the unescape, decodeURI, and decodeURIComponent functions:
and decodeURI functions and the String.fromCharCode method. The preprocessor normalizes the
following encodings within the unescape, decodeURI, and decodeURIComponent functions:
–
%XX
–
%uXXXX
–
0xXX
–
\xXX
–
\uXXXX
The preprocessor detects consecutive white spaces and normalizes them into a single space. When
this option is enabled, a configuration field allows you to specify the maximum number of
consecutive white spaces to permit in obfuscated Javascript data. You can enter a value from 1 to
65535. The value 0 disables event generation, regardless of whether the preprocessor rule (120:10)
associated with this field is enabled.
this option is enabled, a configuration field allows you to specify the maximum number of
consecutive white spaces to permit in obfuscated Javascript data. You can enter a value from 1 to
65535. The value 0 disables event generation, regardless of whether the preprocessor rule (120:10)
associated with this field is enabled.
The preprocessor also normalizes the Javascript plus (+) operator and concatenates strings using the
operator.
operator.
You can use the
file_data
keyword to point intrusion rules to the normalized Javascript data. See
for more information.
You can enable rules 120:9, 120:10, and 120:11 to generate events for this option, as follows:
See
for more information.
Extract Original Client IP Address
Enables extraction of the original client IP address from the X-Forwarded-For (XFF) or
True-Client-IP HTTP header. You can display the extracted original client IP address in the intrusion
events table view. See
True-Client-IP HTTP header. You can display the extracted original client IP address in the intrusion
events table view. See
for more information.
You can enable rules 119:23, 119:29 and 119:30 to generate events for this option. See
for more information.
Log URI
The original client IP address that was extracted from an X-Forwarded-For (XFF), True-Client-IP,
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP
preprocessor Extract Original Client IP Address option in the network analysis policy. Optionally,
in the same area of the network analysis policy, you can also specify up to six custom client IP
headers, as well as set the priority order in which the system selects the value for the Original Client
IP event field. See Selecting Server-Level HTTP Normalization Options, page 25-618 for more
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP
preprocessor Extract Original Client IP Address option in the network analysis policy. Optionally,
in the same area of the network analysis policy, you can also specify up to six custom client IP
headers, as well as set the priority order in which the system selects the value for the Original Client
IP event field. See Selecting Server-Level HTTP Normalization Options, page 25-618 for more
Table 25-6
Normalize Javascript Option Rules
This rule...
Triggers an event when...
120:9
the obfuscation level within the preprocessor is greater than or equal to 2.
120:10
the number of consecutive white spaces in the Javascript obfuscated data is
greater than or equal to the value configured for the maximum number of
consecutive white spaces allowed.
greater than or equal to the value configured for the maximum number of
consecutive white spaces allowed.
120:11
escaped or encoded data includes more than one type of encoding.