ZyXEL Communications ZyWall USG 50-H Series User Manual page 437

Protocol Anomaly Background Information
The following sections may help you configure the protocol anomaly profile screen (see
Section 27.3.5 on page
HTTP Inspection and TCP/UDP/ICMP Decoders
The following table gives some information on the HTTP inspection, TCP decoder, UDP
decoder and ICMP decoder ZyWALL protocol anomaly rules.
Table 153 HTTP Inspection and TCP/UDP/ICMP Decoders
LABEL
HTTP Inspection
APACHE-WHITESPACE
ATTACK
ASCII-ENCODING ATTACK
BARE-BYTE-UNICODING-
ENCODING ATTACK
BASE36-ENCODING
ATTACK
DIRECTORY-TRAVERSAL
ATTACK
DOUBLE-ENCODING
ATTACK
IIS-BACKSLASH-EVASION
ATTACK
IIS-UNICODE-
CODEPOINT-ENCODING
ATTACK
MULTI-SLASH-ENCODING
ATTACK
NON-RFC-DEFINED-CHAR
ATTACK
NON-RFC-HTTP-
DELIMITER ATTACK
ZyWALL USG 50-H User's Guide
430)
DESCRIPTION
This rule deals with non-RFC standard of tab for a space delimiter.
Apache uses this, so if you have an Apache server, you need to
enable this option.
This rule can detect attacks where malicious attackers use ASCII-
encoding to encode attack strings. Attackers may use this method to
bypass system parameter checks in order to get information or
privileges from a web server.
Bare byte encoding uses non-ASCII characters as valid values in
decoding UTF-8 values. This is NOT in the HTTP standard, as all
non-ASCII values have to be encoded with a %. Bare byte encoding
allows the user to emulate an IIS server and interpret non-standard
encodings correctly.
This is a rule to decode base36-encoded characters. This rule can
detect attacks where malicious attackers use base36-encoding to
encode attack strings. Attackers may use this method to bypass
system parameter checks in order to get information or privileges
from a web server.
This rule normalizes directory traversals and self-referential
directories. So, "/abc/this_is_not_a_real_dir/../xyz" get normalized to
"/abc/xyz". Also, "/abc/./xyz" gets normalized to "/abc/xyz". If a user
wants to configure an alert, then specify "yes", otherwise "no". This
alert may give false positives since some web sites refer to files
using directory traversals.
This rule is IIS specific. IIS does two passes through the request
URI, doing decodes in each one. In the first pass, IIS encoding
(UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second
pass ASCII, bare byte, and %u encodings are done.
This is an IIS emulation rule that normalizes backslashes to slashes.
Therefore, a request-URI of "/abc\xyz" gets normalized to "/abc/xyz".
This rule can detect attacks which send attack strings containing
non-ASCII characters encoded by IIS Unicode. IIS Unicode
encoding references the unicode.map file. Attackers may use this
method to bypass system parameter checks in order to get
information or privileges from a web server.
This rule normalizes multiple slashes in a row, so something like:
"abc/////////xyz" get normalized to "abc/xyz".
This rule lets you receive a log or alert if certain non-RFC characters
are used in a request URI. For instance, you may want to know if
there are NULL bytes in the request-URI.
This is when a newline "\n" character is detected as a delimiter. This
is non-standard but is accepted by both Apache and IIS web
servers.
Chapter 27 ADP
437