Cisco Cisco FirePOWER Appliance 8270
25-37
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding HTTP Traffic
Normalize Cookies in HTTP headers
Enables normalization of cookies in HTTP request headers. When
Inspect HTTP Responses
is enabled,
also enables normalization of set-cookie data in response headers. You must select
Inspect HTTP
Cookies
before selecting this options.
Allow HTTP Proxy Use
Allows the monitored web server to be used as an HTTP proxy. This option is used only in the
inspection of HTTP requests.
inspection of HTTP requests.
Inspect URI Only
Inspects only the URI portion of the normalized HTTP request packet.
Inspect HTTP Responses
Enables extended inspection of HTTP responses so, in addition to decoding and normalizing HTTP
request messages, the preprocessor extracts response fields for inspection by the rules engine.
Enabling this option causes the system to extract the response header, body, status code, and so on,
and also extracts set-cookie data when
request messages, the preprocessor extracts response fields for inspection by the rules engine.
Enabling this option causes the system to extract the response header, body, status code, and so on,
and also extracts set-cookie data when
Inspect HTTP Cookies
is enabled. For more information, see
.
You can enable rules 120:2 and 120:3 to generate events for this option. See
for more information.
Normalize UTF Encodings to UTF-8
When
Inspect HTTP Responses
is enabled, detects UTF-16LE, UTF-16BE, UTF-32LE, and UTF32-BE
encodings in HTTP responses and normalizes them to UTF-8.
You can enable rule 120:4 to generate events for this option. See
for
more information.
Inspect Compressed Data
When
Inspect HTTP Responses
is enabled, enables decompression of gzip and deflate-compatible
compressed data in the HTTP response body, and inspection of the normalized decompressed data.
The system inspects chunked and non-chunked HTTP response data. The system inspects
decompressed data packet by packet across multiple packets as needed; that is, the system does not
combine the decompressed data from different packets for inspection. Decompression ends when
The system inspects chunked and non-chunked HTTP response data. The system inspects
decompressed data packet by packet across multiple packets as needed; that is, the system does not
combine the decompressed data from different packets for inspection. Decompression ends when
Maximum Compressed Data Depth
,
Maximum Decompressed Data Depth
, or the end of the compressed data
is reached. Inspection of decompressed data ends when
Server Flow Depth
is reached unless you also
select
Unlimited Decompression
. You can use the
file_data
rule keyword to inspect decompressed
data; see
for more information.
Unlimited Decompression
When
Inspect Compressed Data
is enabled, overrides
Maximum Decompressed Data Depth
across multiple
packets; that is, this option enables unlimited decompression across multiple packets. Note that
enabling this option does not affect
enabling this option does not affect
Maximum Compressed Data Depth
or
Maximum Decompressed Data
Depth
within a single packet. Note also that enabling this option sets
Maximum Compressed Data Depth
and
Maximum Decompressed Data Depth
to 65535 when you commit your changes. See
.