ZyXEL Communications ZyWall USG 2000 User Manual page 538
Unified security gateway
Hide thumbs
Also See for ZyWall USG 2000:
- User manual (1114 pages) ,
- Manual (964 pages) ,
- Support notes (227 pages)
Table of Contents
Advertisement
Chapter 32 ADP
Table 161 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)
LABEL
NON-RFC-HTTP-
DELIMITER ATTACK
OVERSIZE-CHUNK-
ENCODING ATTACK
OVERSIZE-REQUEST-
URI-DIRECTORY ATTACK
SELF-DIRECTORY-
TRAVERSAL ATTACK
U-ENCODING ATTACK
UTF-8-ENCODING
ATTACK
WEBROOT-DIRECTORY-
TRAVERSAL ATTACK
TCP Decoder
BAD-LENGTH-OPTIONS
ATTACK
EXPERIMENTAL-
OPTIONS ATTACK
OBSOLETE-OPTIONS
ATTACK
OVERSIZE-OFFSET
ATTACK
TRUNCATED-OPTIONS
ATTACK
538
DESCRIPTION
This is when a newline "\n" character is detected as a
delimiter. This is non-standard but is accepted by both
Apache and IIS web servers.
This rule is an anomaly detector for abnormally large chunk
sizes. This picks up the apache chunk encoding exploits and
may also be triggered on HTTP tunneling that uses chunk
encoding.
This rule takes a non-zero positive integer as an argument.
The argument specifies the max character directory length
for URL directory. If a URL directory is larger than this
argument size, an alert is generated. A good argument
value is 300 characters. This should limit the alerts to IDS
evasion type attacks, like whisker.
This rule normalizes self-referential directories. So, "/abc/./
xyz" gets normalized to "/abc/xyz".
This rule emulates the IIS %u encoding scheme. The %u
encoding scheme starts with a %u followed by 4
characters, like %uXXXX. The XXXX is a hex encoded value
that correlates to an IIS unicode codepoint. This is an ASCII
value. An ASCII character is encoded like, %u002f = /,
%u002e = ., etc.
The UTF-8 decode rule decodes standard UTF-8 unicode
sequences that are in the URI. This abides by the unicode
standard and only uses % encoding. Apache uses this
standard, so for any Apache servers, make sure you have
this option turned on. When this rule is enabled, ASCII
decoding is also enabled to enforce correct functioning.
This is when a directory traversal traverses past the web
server root directory. This generates much fewer false
positives than the directory option, because it doesn't alert
on directory traversals that stay within the web server
directory structure. It only alerts when the directory
traversals go past the web server root directory, which is
associated with certain web attacks.
This is when a TCP packet is sent where the TCP option
length field is not the same as what it actually is or is 0.
This may cause some applications to crash.
This is when a TCP packet is sent which contains non-RFC-
complaint options. This may cause some applications to
crash.
This is when a TCP packet is sent which contains obsolete
RFC options.
This is when a TCP packet is sent where the TCP data offset
is larger than the payload.
This is when a TCP packet is sent which doesn't have
enough data to read. This could mean the packet was
truncated.
ZyWALL USG 2000 User's Guide
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications ZyWall USG 2000
Related Products for ZyXEL Communications ZyWall USG 2000
- ZyXEL Communications ZYWALL USG 20W
- ZyXEL Communications USG210
- ZyXEL Communications ZyWall USG20W-VPN
- ZyXEL Communications ZyWall USG20-VPN
- ZyXEL Communications ZYWALL USG 300
- ZyXEL Communications USG-50 - V2.21 ED 1
- ZyXEL Communications USG-100@USG-200 - V2.20 ED 2
- ZyXEL Communications USG-300 - V2.20 ED 2