Chapter 31 ADP
Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)
LABEL | DESCRIPTION |
This rule is IIS specific. IIS does two passes through the | |
ATTACK | request URI, doing decodes in each one. In the first pass, |
| IIS encoding |
| done. In the second pass ASCII, bare byte, and %u |
| encodings are done. |
|
|
This is an IIS emulation rule that normalizes backslashes to | |
EVASION ATTACK | slashes. Therefore, a |
| normalized to “/abc/xyz”. |
|
|
This rule can detect attacks which send attack strings | |
containing | |
ATTACK | IIS Unicode encoding references the unicode.map file. |
| |
| Attackers may use this method to bypass system |
| parameter checks in order to get information or privileges |
| from a web server. |
|
|
This rule normalizes multiple slashes in a row, so something | |
ENCODING ATTACK | like: “abc/////////xyz” get normalized to “abc/xyz”. |
|
|
This rule lets you receive a log or alert if certain | |
CHAR ATTACK | characters are used in a request URI. For instance, you may |
| want to know if there are NULL bytes in the |
|
|
This is when a newline “\n” character is detected as a | |
DELIMITER ATTACK | delimiter. This is |
| Apache and IIS web servers. |
|
|
This rule is an anomaly detector for abnormally large chunk | |
ENCODING ATTACK | sizes. This picks up the apache chunk encoding exploits and |
| may also be triggered on HTTP tunneling that uses chunk |
| encoding. |
|
|
This rule takes a | |
The argument specifies the max character directory length | |
| for URL directory. If a URL directory is larger than this |
| argument size, an alert is generated. A good argument |
| value is 300 characters. This should limit the alerts to IDS |
| evasion type attacks, like whisker. |
|
|
This rule normalizes | |
TRAVERSAL ATTACK | xyz” gets normalized to “/abc/xyz”. |
|
|
This rule emulates the IIS %u encoding scheme. The %u | |
| encoding scheme starts with a %u followed by 4 |
| characters, like %uXXXX. The XXXX is a hex encoded value |
| that correlates to an IIS unicode codepoint. This is an ASCII |
| value. An ASCII character is encoded like, %u002f = /, |
| %u002e = ., etc. |
|
|
The | |
ATTACK | sequences that are in the URI. This abides by the unicode |
| standard and only uses % encoding. Apache uses this |
| standard, so for any Apache servers, make sure you have |
| this option turned on. When this rule is enabled, ASCII |
| decoding is also enabled to enforce correct functioning. |
|
|
530 |
| |
ZyWALL USG 50 User’s Guide |
| |
|
|
|