ZyXEL Communications 100 Series, 200 Series Protocol Anomaly Background Information

Chapter 30 ADP

Protocol Anomaly Background Information

The following sections may help you configure the protocol anomaly profile screen (see Section 30.3.5 on page 520)

HTTP Inspection and TCP/UDP/ICMP Decoders

The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.

Table 170 HTTP Inspection and TCP/UDP/ICMP Decoders

LABEL	DESCRIPTION
HTTP Inspection

APACHE-WHITESPACE	This rule deals with non-RFC standard of tab for a space delimiter.
ATTACK	Apache uses this, so if you have an Apache server, you need to
	enable this option.

ASCII-ENCODING ATTACK	This rule can detect attacks where malicious attackers use ASCII-
	encoding to encode attack strings. Attackers may use this method to
	bypass system parameter checks in order to get information or
	privileges from a web server.

BARE-BYTE-UNICODING-	Bare byte encoding uses non-ASCII characters as valid values in
ENCODING ATTACK	decoding UTF-8 values. This is NOT in the HTTP standard, as all
	non-ASCII values have to be encoded with a %. Bare byte encoding
	allows the user to emulate an IIS server and interpret non-standard
	encodings correctly.

BASE36-ENCODING	This is a rule to decode base36-encoded characters. This rule can
ATTACK	detect attacks where malicious attackers use base36-encoding to
	encode attack strings. Attackers may use this method to bypass
	system parameter checks in order to get information or privileges
	from a web server.

DIRECTORY-TRAVERSAL	This rule normalizes directory traversals and self-referential
ATTACK	directories. So, “/abc/this_is_not_a_real_dir/../xyz” get normalized to
	“/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a user
	wants to configure an alert, then specify “yes”, otherwise “no”. This
	alert may give false positives since some web sites refer to files
	using directory traversals.

DOUBLE-ENCODING	This rule is IIS specific. IIS does two passes through the request
ATTACK	URI, doing decodes in each one. In the first pass, IIS encoding
	(UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second
	pass ASCII, bare byte, and %u encodings are done.

IIS-BACKSLASH-EVASION	This is an IIS emulation rule that normalizes backslashes to slashes.
ATTACK	Therefore, a request-URI of “/abc\xyz” gets normalized to “/abc/xyz”.

IIS-UNICODE-	This rule can detect attacks which send attack strings containing
CODEPOINT-ENCODING	non-ASCII characters encoded by IIS Unicode. IIS Unicode
ATTACK	encoding references the unicode.map file. Attackers may use this
	method to bypass system parameter checks in order to get
	information or privileges from a web server.

MULTI-SLASH-ENCODING	This rule normalizes multiple slashes in a row, so something like:
ATTACK	“abc/////////xyz” get normalized to “abc/xyz”.

NON-RFC-DEFINED-CHAR	This rule lets you receive a log or alert if certain non-RFC characters
ATTACK	are used in a request URI. For instance, you may want to know if
	there are NULL bytes in the request-URI.

NON-RFC-HTTP-	This is when a newline “\n” character is detected as a delimiter. This
DELIMITER ATTACK	is non-standard but is accepted by both Apache and IIS web
	servers.

	527
ZyWALL USG 100/200 Series User’s Guide	527