Filter
Top Products
Chapter 31 ADP
ZyWALL USG 50 User’s Guide
530
DOUBLE-ENCODING
ATTACK
This rule is IIS specific. IIS does two passes through the
request URI, doing decodes in each one. In the first pass,
IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is
done. In the second pass ASCII, bare byte, and %u
encodings are done.
IIS-BACKSLASH-
EVASION ATTACK
This is an IIS emulation rule that normalizes backslashes to
slashes. Therefore, a request-URI of “/abc\xyz” gets
normalized to “/abc/xyz”.
IIS-UNICODE-
CODEPOINT-ENCODING
ATTACK
This rule can detect attacks which send attack strings
containing non-ASCII characters encoded by IIS Unicode.
IIS Unicode encoding references the unicode.map file.
Attackers may use this method to bypass system
parameter checks in order to get information or privileges
from a web server.
MULTI-SLASH-
ENCODING ATTACK
This rule normalizes multiple slashes in a row, so something
like: “abc/////////xyz” get normalized to “abc/xyz”.
NON-RFC-DEFINED-
CHAR ATTACK
This rule lets you receive a log or alert if certain non-RFC
characters are used in a request URI. For instance, you may
want to know if there are NULL bytes in the request-URI.
NON-RFC-HTTP-
DELIMITER ATTACK
This is when a newline “\n” character is detected as a
delimiter. This is non-standard but is accepted by both
Apache and IIS web servers.
OVERSIZE-CHUNK-
ENCODING ATTACK
This rule is an anomaly detector for abnormally large chunk
sizes. This picks up the apache chunk encoding exploits and
may also be triggered on HTTP tunneling that uses chunk
encoding.
OVERSIZE-REQUEST-
URI-DIRECTORY ATTACK
This rule takes a non-zero positive integer as an argument.
The argument specifies the max character directory length
for URL directory. If a URL directory is larger than this
argument size, an alert is generated. A good argument
value is 300 characters. This should limit the alerts to IDS
evasion type attacks, like whisker.
SELF-DIRECTORY-
TRAVERSAL ATTACK
This rule normalizes self-referential directories. So, “/abc/./
xyz” gets normalized to “/abc/xyz”.
U-ENCODING ATTACK This rule emulates the IIS %u encoding scheme. The %u
encoding scheme starts with a %u followed by 4
characters, like %uXXXX. The XXXX is a hex encoded value
that correlates to an IIS unicode codepoint. This is an ASCII
value. An ASCII character is encoded like, %u002f = /,
%u002e = ., etc.
UTF-8-ENCODING
ATTACK
The UTF-8 decode rule decodes standard UTF-8 unicode
sequences that are in the URI. This abides by the unicode
standard and only uses % encoding. Apache uses this
standard, so for any Apache servers, make sure you have
this option turned on. When this rule is enabled, ASCII
decoding is also enabled to enforce correct functioning.
Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)
LABEL DESCRIPTION