Chapter 31 ADP

Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION

DOUBLE-ENCODING

This rule is IIS specific. IIS does two passes through the

ATTACK

request URI, doing decodes in each one. In the first pass,

 

IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is

 

done. In the second pass ASCII, bare byte, and %u

 

encodings are done.

 

 

IIS-BACKSLASH-

This is an IIS emulation rule that normalizes backslashes to

EVASION ATTACK

slashes. Therefore, a request-URI of “/abc\xyz” gets

 

normalized to “/abc/xyz”.

 

 

IIS-UNICODE-

This rule can detect attacks which send attack strings

CODEPOINT-ENCODING

containing non-ASCII characters encoded by IIS Unicode.

ATTACK

IIS Unicode encoding references the unicode.map file.

 

 

Attackers may use this method to bypass system

 

parameter checks in order to get information or privileges

 

from a web server.

 

 

MULTI-SLASH-

This rule normalizes multiple slashes in a row, so something

ENCODING ATTACK

like: “abc/////////xyz” get normalized to “abc/xyz”.

 

 

NON-RFC-DEFINED-

This rule lets you receive a log or alert if certain non-RFC

CHAR ATTACK

characters are used in a request URI. For instance, you may

 

want to know if there are NULL bytes in the request-URI.

 

 

NON-RFC-HTTP-

This is when a newline “\n” character is detected as a

DELIMITER ATTACK

delimiter. This is non-standard but is accepted by both

 

Apache and IIS web servers.

 

 

OVERSIZE-CHUNK-

This rule is an anomaly detector for abnormally large chunk

ENCODING ATTACK

sizes. This picks up the apache chunk encoding exploits and

 

may also be triggered on HTTP tunneling that uses chunk

 

encoding.

 

 

OVERSIZE-REQUEST-

This rule takes a non-zero positive integer as an argument.

URI-DIRECTORY ATTACK

The argument specifies the max character directory length

 

for URL directory. If a URL directory is larger than this

 

argument size, an alert is generated. A good argument

 

value is 300 characters. This should limit the alerts to IDS

 

evasion type attacks, like whisker.

 

 

SELF-DIRECTORY-

This rule normalizes self-referential directories. So, “/abc/./

TRAVERSAL ATTACK

xyz” gets normalized to “/abc/xyz”.

 

 

U-ENCODING ATTACK

This rule emulates the IIS %u encoding scheme. The %u

 

encoding scheme starts with a %u followed by 4

 

characters, like %uXXXX. The XXXX is a hex encoded value

 

that correlates to an IIS unicode codepoint. This is an ASCII

 

value. An ASCII character is encoded like, %u002f = /,

 

%u002e = ., etc.

 

 

UTF-8-ENCODING

The UTF-8 decode rule decodes standard UTF-8 unicode

ATTACK

sequences that are in the URI. This abides by the unicode

 

standard and only uses % encoding. Apache uses this

 

standard, so for any Apache servers, make sure you have

 

this option turned on. When this rule is enabled, ASCII

 

decoding is also enabled to enforce correct functioning.

 

 

530

 

ZyWALL USG 50 User’s Guide