Chapter 30 ADP

Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder where each category reflects the packet type inspected.

Protocol anomaly rules may be updated when you upload new firmware.

30.9.1 HTTP Inspection and TCP/UDP/ICMP Decoders

The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.

Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders

LABEL

DESCRIPTION

HTTP Inspection

 

 

 

APACHE-WHITESPACE

This rule deals with non-RFC standard of tab for a space delimiter.

ATTACK

Apache uses this, so if you have an Apache server, you need to

 

enable this option.

 

 

ASCII-ENCODING ATTACK

This rule can detect attacks where malicious attackers use ASCII-

 

encoding to encode attack strings. Attackers may use this method to

 

bypass system parameter checks in order to get information or

 

privileges from a web server.

 

 

BARE-BYTE-UNICODING-

Bare byte encoding uses non-ASCII characters as valid values in

ENCODING ATTACK

decoding UTF-8 values. This is NOT in the HTTP standard, as all

 

non-ASCII values have to be encoded with a %. Bare byte encoding

 

allows the user to emulate an IIS server and interpret non-standard

 

encodings correctly.

 

 

BASE36-ENCODING

This is a rule to decode base36-encoded characters. This rule can

ATTACK

detect attacks where malicious attackers use base36-encoding to

 

encode attack strings. Attackers may use this method to bypass

 

system parameter checks in order to get information or privileges

 

from a web server.

 

 

DIRECTORY-TRAVERSAL

This rule normalizes directory traversals and self-referential

ATTACK

directories. So, “/abc/this_is_not_a_real_dir/../xyz” get normalized to

 

“/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a user

 

wants to configure an alert, then specify “yes”, otherwise “no”. This

 

alert may give false positives since some web sites refer to files

 

using directory traversals.

 

 

DOUBLE-ENCODING

This rule is IIS specific. IIS does two passes through the request

ATTACK

URI, doing decodes in each one. In the first pass, IIS encoding

 

(UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second

 

pass ASCII, bare byte, and %u encodings are done.

 

 

IIS-BACKSLASH-EVASION

This is an IIS emulation rule that normalizes backslashes to slashes.

ATTACK

Therefore, a request-URI of “/abc\xyz” gets normalized to “/abc/xyz”.

 

 

IIS-UNICODE-

This rule can detect attacks which send attack strings containing

CODEPOINT-ENCODING

non-ASCII characters encoded by IIS Unicode. IIS Unicode

ATTACK

encoding references the unicode.map file. Attackers may use this

 

method to bypass system parameter checks in order to get

 

information or privileges from a web server.

 

 

MULTI-SLASH-ENCODING

This rule normalizes multiple slashes in a row, so something like:

ATTACK

“abc/////////xyz” get normalized to “abc/xyz”.

 

 

NON-RFC-DEFINED-CHAR

This rule lets you receive a log or alert if certain non-RFC characters

ATTACK

are used in a request URI. For instance, you may want to know if

 

there are NULL bytes in the request-URI.

 

 

NON-RFC-HTTP-

This is when a newline “\n” character is detected as a delimiter. This

DELIMITER ATTACK

is non-standard but is accepted by both Apache and IIS web

 

servers.

 

 

 

457

ZyWALL USG 1000 User’s Guide