Table of Contents
Advertisement
About Anti-Evasive Measures
Anti-evasive measures are applied to input identified by the selected variables before the input is matched
against the specified value. For instance, the String Length measure is used to compute the length of the
matched input and use it for comparison. Some of the anti-evasive measures are used to thwart attempts by
hackers to encode inputs to bypass Web Application Firewall rules. You can click on an anti-evasive measure in
the list to read more information on it in the Tips/Help sidebar.
The anti-evasive measures can be used in conjunction with regular operators. There are ten measures to choose
from in the Anti-Evasive Measures field, including the None measure which leaves the input alone.
Multiple anti-evasive measures can be selected together and individually enforced. You can select multiple
measures by holding the Ctrl key while clicking an additional measure. When the None measure is selected
along with other measures in your rule, the input is compared as is and also compared after decoding it or
converting it with another measure.
Table 36. Anti-Evasive Measures for Rules
Measure
None
String Length
Convert to Lowercase
Normalize URI Path
Remove Spaces
Base64 Decode
Hexadecimal Decode
Table 36
describes the anti-evasive measures available for use with rules.
Description
Use the None measure when you want to compare the scanned input to the
configured variable(s) and value(s) without changing the input.
Use the String Length measure when the selected variable is a string and you want
to compute the length of the string before applying the selected operator.
Use the Convert to Lowercase measure when you want to make case-insensitive
comparisons by converting the input to all lowercase before the comparison. When
you use this measure, make sure that strings entered in the Value field are all in
lowercase.
This is an anti-evasive measure to prevent hackers from changing case to bypass the
rule.
Use the Normalize URI Path measure to remove invalid references, such as back-
references (except at the beginning of the URI), consecutive slashes, and self-
references in the URI. For example, the URI
converted to www.eshop.com/login.aspx.
This is an anti-evasive measure to prevent hackers from adding invalid references in
the URI to bypass the rule.
Use the Remove Spaces measure to remove spaces within strings in the input before
the comparison. Extra spaces can cause a rule to not match the input, but are
interpreted by the backend Web application.
This is an anti-evasive measure to prevent hackers from adding spaces within strings
to bypass the rule.
Use the Base64 Decode measure to decode base64 encoded data before the
comparison is made according to the rule.
Some applications encode binary data in a manner convenient for inclusion in URLs
and in form fields. Base64 encoding is done to this type of data to keep the data
compact. The backend application decodes the data.
This is an anti-evasive measure to prevent hackers from using base64 encoding of
their input to bypass the rule.
Use the Hexadecimal Decode measure to decode hexadecimal encoded data before
the comparison is made according to the rule.
This is an anti-evasive measure to prevent hackers from using hexadecimal encoding
of their input to bypass the rule.
www.eshop.com/././//login.aspx
Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
is
304
Advertisement
Chapters
Table of Contents
Troubleshooting
