Network Instruments GigaStor User Manual page 48

Field
TCP Stream Reassembly
(Continued)
HTTP URI Normalization
HTTP URI Normalization
(Continued)
48 | GigaStor™ (pub. 25.Apr.2014)
Description
Reconstruct Server to Client streams—Check this box to have analysis actually
reconstruct streams received by clients.
Overlap method—Different operating systems handle overlapping packets using
one of these methods. Choose one to match the method of the systems being
monitored.
Reassembly error action—Discard and flush writes the reassembled stream for
analysis, excluding the packet that caused the error. Insert and flush writes the
reassembled stream, but includes the packet that caused the error. Insert no flush
includes the error-causing packet and continues stream reassembly.
Reassembled packet size threshold range—Some evasion strategies attempt
to evade detection by fragmenting the TCP header across multiple packets.
Reassembling the stream in packets of uniform size makes this easier for attackers
to slip traffic past the rules, so forensic analysis reassembles the stream using
random packet sizes. Here you can set the upper and lower limits on the size of
these packets.
Reassembled packet size seed value—Changing the seed value will cause
forensic analysis to use a different pattern of packet sizes for stream reassembly.
Running the analysis with a different seed value can catch signature matches that
would otherwise escape detection.
Port List—Enabling the Port List option limits analysis to (or excludes from
analysis) the given port numbers.
Many HTTP-based attacks attempt to evade detection by encoding URI strings
in UTF-8 or Microsoft %u notation for specifying Unicode characters. This
preprocessor includes options to circumvent the most common evasion
techniques. To match patterns against the normalized URIs rather than the
unconverted strings captured from the wire, the VRT Rules use the uricontent
option, which depends on this preprocessor. Without normalization, you would
have to include signatures for the pattern in all possible formats (using the
content option), rather than in one canonical version.
Log preprocessor events—Checking this box causes forensic analysis to save
any alerts generated by the HTTP preprocessor to the log, but not the Forensic
Summary Window.
Maximum directory segment size—Specifies the maximum length of a directory
segment (i.e., the number of characters allowed between slashes). If a URI
directory is larger than this, an alert is generated. 200 characters is reasonable
cutoff point to start with. This should limit the alerts to IDS evasions.
Unicode Code Page—Specify the appropriate country code page for the traffic
being monitored.
Normalize ASCII percent encodings—This option must be enabled for the rest of
the options to work. The second check box allows you to enable logging when
such encoding is encountered during preprocessing. Because such encoding is
considered standard, logging occurrences of this is not recommended.
Normalize percent-U encodings—Convert Microsoft-style %u-encoded
characters to standard format. The second check box allows you to enable
logging when such encoding is encountered during preprocessing. Because
such encoding is considered non-standard (and a common hacker trick), logging
occurrences of this is recommended.
Normalize UTF-8 encodings—Convert UTF-8 encoded characters to standard
format. The second check box allows you to enable logging when such encoding