Configuring The HTTP Inspect Preprocessor

Note

This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

Before you begin

  • Confirm that any networks you want to identify in a custom target-based policy match or are a subset of the networks, zones, and VLANs handled by its parent network analysis policy. See Advanced Settings for Network Analysis Policies for more information.

Procedure

Step 1

Choose Policies > Access Control, then click Network Analysis Policy or Policies > Access Control > Intrusion, then click Network Analysis Policies.

Note

If your custom user role limits access to the first path listed here, use the second path to access the policy.

Step 2

Click Snort 2 Version next to the policy you want to edit.

Step 3

Click Edit (edit icon) next to the policy you want to edit.

If View (View button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Settings in the navigation panel.

Step 5

If HTTP Configuration under Application Layer Preprocessors is disabled, click Enabled.

Step 6

Click Edit (edit icon) next to HTTP Configuration.

Step 7

Modify the options in the Global Settings page area; see Global HTTP Normalization Options.

Step 8

You have three choices:

  • Add a server profile — Click Add (add icon) in the Servers section. Specify one or more IP addresses for the client in the Server Address field, and click OK. You can specify a single IP address or address block, or a comma-separated list of either or both. You can include up to 496 characters in a list, specify a total of 256 address entries for all server profiles, and create a total of 255 profiles including the default profile.
  • Edit a server profile — Click the configured address for a profile you have added under Servers, or click default. You can modify any of the settings in the Configuration section; see Server-Level HTTP Normalization Options. If you choose Custom for the Profile value, you can also modify the encoding options described in Server-Level HTTP Normalization Encoding Options.
  • Delete a server profile — Click Delete (delete icon) next to a custom profile.

Step 9

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, cached changes since the last commit are discarded if you edit a different policy.

What to do next

  • If you want generate events and, in an inline deployment, drop offending packets, enable HTTP preprocessor rules (GID 119). For more information, see Setting Intrusion Rule States.

  • Deploy configuration changes.