ZyXEL Communications ZyWALL USG 300 User Manual page 561
Unified security gateway
Hide thumbs
Also See for ZyWALL USG 300:
- User manual (1156 pages) ,
- Quick start manual (128 pages) ,
- Specifications (4 pages)
Table of Contents
Advertisement
HTTP Inspection and TCP/UDP/ICMP Decoders
The following table gives some information on the HTTP inspection, TCP decoder,
UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.
Table 168 HTTP Inspection and TCP/UDP/ICMP Decoders
LABEL
HTTP Inspection
APACHE-WHITESPACE
ATTACK
ASCII-ENCODING
ATTACK
BARE-BYTE-
UNICODING-ENCODING
ATTACK
BASE36-ENCODING
ATTACK
DIRECTORY-TRAVERSAL
ATTACK
DOUBLE-ENCODING
ATTACK
IIS-BACKSLASH-
EVASION ATTACK
IIS-UNICODE-
CODEPOINT-ENCODING
ATTACK
MULTI-SLASH-
ENCODING ATTACK
NON-RFC-DEFINED-
CHAR ATTACK
ZyWALL USG 300 User's Guide
DESCRIPTION
This rule deals with non-RFC standard of tab for a space
delimiter. Apache uses this, so if you have an Apache
server, you need to enable this option.
This rule can detect attacks where malicious attackers use
ASCII-encoding to encode attack strings. Attackers may
use this method to bypass system parameter checks in
order to get information or privileges from a web server.
Bare byte encoding uses non-ASCII characters as valid
values in decoding UTF-8 values. This is NOT in the HTTP
standard, as all non-ASCII values have to be encoded with
a %. Bare byte encoding allows the user to emulate an IIS
server and interpret non-standard encodings correctly.
This is a rule to decode base36-encoded characters. This
rule can detect attacks where malicious attackers use
base36-encoding to encode attack strings. Attackers may
use this method to bypass system parameter checks in
order to get information or privileges from a web server.
This rule normalizes directory traversals and self-referential
directories. So, "/abc/this_is_not_a_real_dir/../xyz" get
normalized to "/abc/xyz". Also, "/abc/./xyz" gets
normalized to "/abc/xyz". If a user wants to configure an
alert, then specify "yes", otherwise "no". This alert may
give false positives since some web sites refer to files using
directory traversals.
This rule is IIS specific. IIS does two passes through the
request URI, doing decodes in each one. In the first pass,
IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is
done. In the second pass ASCII, bare byte, and %u
encodings are done.
This is an IIS emulation rule that normalizes backslashes to
slashes. Therefore, a request-URI of "/abc\xyz" gets
normalized to "/abc/xyz".
This rule can detect attacks which send attack strings
containing non-ASCII characters encoded by IIS Unicode.
IIS Unicode encoding references the unicode.map file.
Attackers may use this method to bypass system
parameter checks in order to get information or privileges
from a web server.
This rule normalizes multiple slashes in a row, so
something like: "abc/////////xyz" get normalized to "abc/
xyz".
This rule lets you receive a log or alert if certain non-RFC
characters are used in a request URI. For instance, you may
want to know if there are NULL bytes in the request-URI.
Chapter 32 ADP
561
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
