Chapter 31 ADP

Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION

WEBROOT-DIRECTORY-

This is when a directory traversal traverses past the web

TRAVERSAL ATTACK

server root directory. This generates much fewer false

 

positives than the directory option, because it doesn’t alert

 

on directory traversals that stay within the web server

 

directory structure. It only alerts when the directory

 

traversals go past the web server root directory, which is

 

associated with certain web attacks.

 

 

TCP Decoder

 

 

 

BAD-LENGTH-OPTIONS

This is when a TCP packet is sent where the TCP option

ATTACK

length field is not the same as what it actually is or is 0.

 

This may cause some applications to crash.

 

 

EXPERIMENTAL-

This is when a TCP packet is sent which contains non-RFC-

OPTIONS ATTACK

complaint options. This may cause some applications to

 

crash.

 

 

OBSOLETE-OPTIONS

This is when a TCP packet is sent which contains obsolete

ATTACK

RFC options.

 

 

OVERSIZE-OFFSET

This is when a TCP packet is sent where the TCP data offset

ATTACK

is larger than the payload.

 

 

TRUNCATED-OPTIONS

This is when a TCP packet is sent which doesn’t have

ATTACK

enough data to read. This could mean the packet was

 

truncated.

 

 

TTCP-DETECTED ATTACK

T/TCP provides a way of bypassing the standard three-way

 

handshake found in TCP, thus speeding up transactions.

 

However, this could lead to unauthorized access to the

 

system by spoofing connections.

 

 

UNDERSIZE-LEN ATTACK

This is when a TCP packet is sent which has a TCP datagram

 

length of less than 20 bytes. This may cause some

 

applications to crash.

 

 

UNDERSIZE-OFFSET

This is when a TCP packet is sent which has a TCP header

ATTACK

length of less than 20 bytes.This may cause some

 

applications to crash.

 

 

UDP Decoder

 

 

 

OVERSIZE-LEN ATTACK

This is when a UDP packet is sent which has a UDP length

 

field of greater than the actual packet length. This may

 

cause some applications to crash.

 

 

TRUNCATED-HEADER

This is when a UDP packet is sent which has a UDP

ATTACK

datagram length of less the UDP header length. This may

 

cause some applications to crash.

 

 

UNDERSIZE-LEN ATTACK

This is when a UDP packet is sent which has a UDP length

 

field of less than 8 bytes. This may cause some applications

 

to crash.

 

 

ICMP Decoder

 

 

 

TRUNCATED-ADDRESS-

This is when an ICMP packet is sent which has an ICMP

HEADER ATTACK

datagram length of less than the ICMP address header

 

length. This may cause some applications to crash.

 

 

 

531

ZyWALL USG 50 User’s Guide