ZyXEL Communications ZyWALL USG 200 Series User Manual page 646

Chapter 35 ADP
Table 175 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)
LABEL
DOUBLE-ENCODING
ATTACK
IIS-BACKSLASH-
EVASION ATTACK
IIS-UNICODE-
CODEPOINT-ENCODING
ATTACK
MULTI-SLASH-
ENCODING ATTACK
NON-RFC-DEFINED-
CHAR ATTACK
NON-RFC-HTTP-
DELIMITER ATTACK
OVERSIZE-CHUNK-
ENCODING ATTACK
OVERSIZE-REQUEST-
URI-DIRECTORY ATTACK
SELF-DIRECTORY-
TRAVERSAL ATTACK
U-ENCODING ATTACK
UTF-8-ENCODING
ATTACK
646
DESCRIPTION
This rule is IIS specific. IIS does two passes through the
request URI, doing decodes in each one. In the first pass,
IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is
done. In the second pass ASCII, bare byte, and %u
encodings are done.
This is an IIS emulation rule that normalizes backslashes to
slashes. Therefore, a request-URI of "/abc\xyz" gets
normalized to "/abc/xyz".
This rule can detect attacks which send attack strings
containing non-ASCII characters encoded by IIS Unicode.
IIS Unicode encoding references the unicode.map file.
Attackers may use this method to bypass system
parameter checks in order to get information or privileges
from a web server.
This rule normalizes multiple slashes in a row, so something
like: "abc/////////xyz" get normalized to "abc/xyz".
This rule lets you receive a log or alert if certain non-RFC
characters are used in a request URI. For instance, you may
want to know if there are NULL bytes in the request-URI.
This is when a newline "\n" character is detected as a
delimiter. This is non-standard but is accepted by both
Apache and IIS web servers.
This rule is an anomaly detector for abnormally large chunk
sizes. This picks up the apache chunk encoding exploits and
may also be triggered on HTTP tunneling that uses chunk
encoding.
This rule takes a non-zero positive integer as an argument.
The argument specifies the max character directory length
for URL directory. If a URL directory is larger than this
argument size, an alert is generated. A good argument
value is 300 characters. This should limit the alerts to IDS
evasion type attacks, like whisker.
This rule normalizes self-referential directories. So, "/abc/./
xyz" gets normalized to "/abc/xyz".
This rule emulates the IIS %u encoding scheme. The %u
encoding scheme starts with a %u followed by 4
characters, like %uXXXX. The XXXX is a hex encoded value
that correlates to an IIS unicode codepoint. This is an ASCII
value. An ASCII character is encoded like, %u002f = /,
%u002e = ., etc.
The UTF-8 decode rule decodes standard UTF-8 unicode
sequences that are in the URI. This abides by the unicode
standard and only uses % encoding. Apache uses this
standard, so for any Apache servers, make sure you have
this option turned on. When this rule is enabled, ASCII
decoding is also enabled to enforce correct functioning.
ZyWALL USG 100/200 Series User's Guide