Chapter 30 ADP
Table 170 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)
LABEL | DESCRIPTION |
This rule is an anomaly detector for abnormally large chunk sizes. | |
ENCODING ATTACK | This picks up the apache chunk encoding exploits and may also be |
| triggered on HTTP tunneling that uses chunk encoding. |
|
|
This rule takes a | |
DIRECTORY ATTACK | argument specifies the max character directory length for URL |
| directory. If a URL directory is larger than this argument size, an |
| alert is generated. A good argument value is 300 characters. This |
| should limit the alerts to IDS evasion type attacks, like whisker. |
|
|
This rule normalizes | |
TRAVERSAL ATTACK | normalized to “/abc/xyz”. |
|
|
This rule emulates the IIS %u encoding scheme. The %u encoding | |
| scheme starts with a %u followed by 4 characters, like %uXXXX. |
| The XXXX is a hex encoded value that correlates to an IIS unicode |
| codepoint. This is an ASCII value. An ASCII character is encoded |
| like, %u002f = /, %u002e = ., etc. |
|
|
The | |
ATTACK | sequences that are in the URI. This abides by the unicode standard |
| and only uses % encoding. Apache uses this standard, so for any |
| Apache servers, make sure you have this option turned on. When |
| this rule is enabled, ASCII decoding is also enabled to enforce |
| correct functioning. |
|
|
This is when a directory traversal traverses past the web server root | |
TRAVERSAL ATTACK | directory. This generates much fewer false positives than the |
| directory option, because it doesn’t alert on directory traversals that |
| stay within the web server directory structure. It only alerts when the |
| directory traversals go past the web server root directory, which is |
| associated with certain web attacks. |
|
|
TCP Decoder |
|
|
|
This is when a TCP packet is sent where the TCP option length field | |
ATTACK | is not the same as what it actually is or is 0. This may cause some |
| applications to crash. |
|
|
This is when a TCP packet is sent which contains | |
ATTACK | complaint options. This may cause some applications to crash. |
|
|
This is when a TCP packet is sent which contains obsolete RFC | |
ATTACK | options. |
|
|
This is when a TCP packet is sent where the TCP data offset is | |
ATTACK | larger than the payload. |
|
|
This is when a TCP packet is sent which doesn’t have enough data | |
ATTACK | to read. This could mean the packet was truncated. |
|
|
T/TCP provides a way of bypassing the standard | |
| handshake found in TCP, thus speeding up transactions. However, |
| this could lead to unauthorized access to the system by spoofing |
| connections. |
|
|
This is when a TCP packet is sent which has a TCP datagram length | |
| of less than 20 bytes. This may cause some applications to crash. |
|
|
This is when a TCP packet is sent which has a TCP header length of | |
ATTACK | less than 20 bytes.This may cause some applications to crash. |
|
|
UDP Decoder |
|
|
|
This is when a UDP packet is sent which has a UDP length field of | |
| greater than the actual packet length. This may cause some |
| applications to crash. |
|
|
528 |
| |
ZyWALL USG 100/200 Series User’s Guide |
| |
|
|
|