Deleting A Rule - Dell SMA 200 Administration Manual

2 The second rule identifies the form parameter, shell_cmd and the bad input, traceroute.
Example – Using URL Decode and None
If a hacker perceives that a Request URI is being scanned for CR and LF characters (carriage return and line
feed), the hacker might attempt to sneak those characters into the request by completing URL encoding on the
characters before adding them to the request. The URI then contains %0D and %0A characters that could be
used to launch an HTTP response splitting attack. The URL Decode and/or URL Decode (Unicode) measures
can be used to thwart this type of attack by decoding the scanned input before comparing it against the
configured value(s) to check for a match.
Specifically, if a request is made to the URI
is selected, the scanned URI becomes
matched. To thwart a hacker who sends a non-encoded request in addition to the encoded one, the
administrator can select the None and the URL Decode options in the rule.
Example – Using Convert to Lowercase and URL Decode with Parameter Values
An administrator wants to check whether the content of the variable Parameter Values matches the value foo
bar in order to block such a request. Because the backend application accepts case-insensitive inputs (foo bar
and FOO BAR), the hacker can pass foo BAR in the request and evade the rule. To prevent this evasion, the
administrator specifies Convert to Lowercase as an anti-evasive measure and configures the value as foo bar
in all lower case. This causes all request parameter values to be converted to lower case and compared against
the value for a case-insensitive check.
Similarly, the hacker could pass foo%20BAR, which is the URL encoded version typically used by browsers. To
prevent this evasion, the administrator specifies URL Decode as the anti-evasive measure to apply to the
request entity. The input foo%20BAR is URL decoded to foo BAR. If the input is already foo BAR, then URL
decoding is not applied.
Example – Using String Length and URL Decode with Parameter Values:ID
Comparing against a decoded input allows the administrator to use the String Length measure to check the
length of the input against the matching variable. For example, if a Web application ID parameter should not be
more than four characters, the administrator could select Parameter Values in the Variable field, enter ID in
the selection field, click + to add the variable and selected item to the rule, enter 4 in the Value field, select
> in the Operator list, and select both URL Decode and String Length in the Anti-Evasive Measures list.

Deleting a Rule

To delete a rule from a rule chain:
1 On the Web Application Firewall > Rules page, click the Edit Rule Chain icon
the rule chain from which you want to delete a rule. The page for that rule chain opens.
2 Click the Delete icon
3 Click OK in the confirmation dialog box.
4 Click Accept.
http://www.host.com/foo%20bar/
http://www.host.com/foo bar/
under Configure for the rule you want to delete.
and the URL Decode measure
after decoding that can now be safely
Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
under Configure for
307