ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual page 458

Chapter 30 ADP
Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)
LABEL
NON-RFC-HTTP-
DELIMITER ATTACK
OVERSIZE-CHUNK-
ENCODING ATTACK
OVERSIZE-REQUEST-URI-
DIRECTORY ATTACK
SELF-DIRECTORY-
TRAVERSAL ATTACK
U-ENCODING ATTACK
UTF-8-ENCODING
ATTACK
WEBROOT-DIRECTORY-
TRAVERSAL ATTACK
TCP Decoder
BAD-LENGTH-OPTIONS
ATTACK
EXPERIMENTAL-OPTIONS
ATTACK
OBSOLETE-OPTIONS
ATTACK
OVERSIZE-OFFSET
ATTACK
TRUNCATED-OPTIONS
ATTACK
TTCP-DETECTED ATTACK
UNDERSIZE-LEN ATTACK
UNDERSIZE-OFFSET
ATTACK
458
DESCRIPTION
This is when a newline "\n" character is detected as a delimiter.
This is non-standard but is accepted by both Apache and IIS web
servers.
This rule is an anomaly detector for abnormally large chunk sizes.
This picks up the apache chunk encoding exploits and may also be
triggered on HTTP tunneling that uses chunk encoding.
This rule takes a non-zero positive integer as an argument. The
argument specifies the max character directory length for URL
directory. If a URL directory is larger than this argument size, an
alert is generated. A good argument value is 300 characters. This
should limit the alerts to IDS evasion type attacks, like whisker.
This rule normalizes self-referential directories. So, "/abc/./xyz"
gets normalized to "/abc/xyz".
This rule emulates the IIS %u encoding scheme. The %u encoding
scheme starts with a %u followed by 4 characters, like %uXXXX.
The XXXX is a hex encoded value that correlates to an IIS unicode
codepoint. This is an ASCII value. An ASCII character is encoded
like, %u002f = /, %u002e = ., etc.
The UTF-8 decode rule decodes standard UTF-8 unicode
sequences that are in the URI. This abides by the unicode
standard and only uses % encoding. Apache uses this standard,
so for any Apache servers, make sure you have this option turned
on. When this rule is enabled, ASCII decoding is also enabled to
enforce correct functioning.
This is when a directory traversal traverses past the web server
root directory. This generates much fewer false positives than the
directory option, because it doesn't alert on directory traversals that
stay within the web server directory structure. It only alerts when
the directory traversals go past the web server root directory, which
is associated with certain web attacks.
This is when a TCP packet is sent where the TCP option length
field is not the same as what it actually is or is 0. This may cause
some applications to crash.
This is when a TCP packet is sent which contains non-RFC-
complaint options. This may cause some applications to crash.
This is when a TCP packet is sent which contains obsolete RFC
options.
This is when a TCP packet is sent where the TCP data offset is
larger than the payload.
This is when a TCP packet is sent which doesn't have enough data
to read. This could mean the packet was truncated.
T/TCP provides a way of bypassing the standard three-way
handshake found in TCP, thus speeding up transactions. However,
this could lead to unauthorized access to the system by spoofing
connections.
This is when a TCP packet is sent which has a TCP datagram
length of less than 20 bytes. This may cause some applications to
crash.
This is when a TCP packet is sent which has a TCP header length
of less than 20 bytes.This may cause some applications to crash.
ZyWALL USG 300 User's Guide