Chapter 30 ADP

Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION

OVERSIZE-CHUNK-

This rule is an anomaly detector for abnormally large chunk sizes.

ENCODING ATTACK

This picks up the apache chunk encoding exploits and may also be

 

triggered on HTTP tunneling that uses chunk encoding.

 

 

OVERSIZE-REQUEST-URI-

This rule takes a non-zero positive integer as an argument. The

DIRECTORY ATTACK

argument specifies the max character directory length for URL

 

directory. If a URL directory is larger than this argument size, an

 

alert is generated. A good argument value is 300 characters. This

 

should limit the alerts to IDS evasion type attacks, like whisker.

 

 

SELF-DIRECTORY-

This rule normalizes self-referential directories. So, “/abc/./xyz” gets

TRAVERSAL ATTACK

normalized to “/abc/xyz”.

 

 

U-ENCODING ATTACK

This rule emulates the IIS %u encoding scheme. The %u encoding

 

scheme starts with a %u followed by 4 characters, like %uXXXX.

 

The XXXX is a hex encoded value that correlates to an IIS unicode

 

codepoint. This is an ASCII value. An ASCII character is encoded

 

like, %u002f = /, %u002e = ., etc.

 

 

UTF-8-ENCODING

The UTF-8 decode rule decodes standard UTF-8 unicode

ATTACK

sequences that are in the URI. This abides by the unicode standard

 

and only uses % encoding. Apache uses this standard, so for any

 

Apache servers, make sure you have this option turned on. When

 

this rule is enabled, ASCII decoding is also enabled to enforce

 

correct functioning.

 

 

WEBROOT-DIRECTORY-

This is when a directory traversal traverses past the web server root

TRAVERSAL ATTACK

directory. This generates much fewer false positives than the

 

directory option, because it doesn’t alert on directory traversals that

 

stay within the web server directory structure. It only alerts when the

 

directory traversals go past the web server root directory, which is

 

associated with certain web attacks.

 

 

TCP Decoder

 

 

 

BAD-LENGTH-OPTIONS

This is when a TCP packet is sent where the TCP option length field

ATTACK

is not the same as what it actually is or is 0. This may cause some

 

applications to crash.

 

 

EXPERIMENTAL-OPTIONS

This is when a TCP packet is sent which contains non-RFC-

ATTACK

complaint options. This may cause some applications to crash.

 

 

OBSOLETE-OPTIONS

This is when a TCP packet is sent which contains obsolete RFC

ATTACK

options.

 

 

OVERSIZE-OFFSET

This is when a TCP packet is sent where the TCP data offset is

ATTACK

larger than the payload.

 

 

TRUNCATED-OPTIONS

This is when a TCP packet is sent which doesn’t have enough data

ATTACK

to read. This could mean the packet was truncated.

 

 

TTCP-DETECTED ATTACK

T/TCP provides a way of bypassing the standard three-way

 

handshake found in TCP, thus speeding up transactions. However,

 

this could lead to unauthorized access to the system by spoofing

 

connections.

 

 

UNDERSIZE-LEN ATTACK

This is when a TCP packet is sent which has a TCP datagram length

 

of less than 20 bytes. This may cause some applications to crash.

 

 

UNDERSIZE-OFFSET

This is when a TCP packet is sent which has a TCP header length of

ATTACK

less than 20 bytes.This may cause some applications to crash.

 

 

UDP Decoder

 

 

 

OVERSIZE-LEN ATTACK

This is when a UDP packet is sent which has a UDP length field of

 

greater than the actual packet length. This may cause some

 

applications to crash.

 

 

458

 

ZyWALL USG 1000 User’s Guide