ZyXEL Communications ZyWALL 300 User Manual
Chapter 30 ADP
ZyWALL USG 300 User’s Guide
457
Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and
ICMP Decoder where each category reflects the packet type inspected.
ICMP Decoder where each category reflects the packet type inspected.
Protocol anomaly rules may be updated when you upload new firmware.
30.9.1 HTTP Inspection and TCP/UDP/ICMP Decoders
The following table gives some information on the HTTP inspection, TCP decoder, UDP
decoder and ICMP decoder ZyWALL protocol anomaly rules.
decoder and ICMP decoder ZyWALL protocol anomaly rules.
Table 144 HTTP Inspection and TCP/UDP/ICMP Decoders
LABEL
DESCRIPTION
HTTP Inspection
APACHE-WHITESPACE
ATTACK
ATTACK
This rule deals with non-RFC standard of tab for a space delimiter.
Apache uses this, so if you have an Apache server, you need to
enable this option.
Apache uses this, so if you have an Apache server, you need to
enable this option.
ASCII-ENCODING ATTACK
This rule can detect attacks where malicious attackers use ASCII-
encoding to encode attack strings. Attackers may use this method
to bypass system parameter checks in order to get information or
privileges from a web server.
encoding to encode attack strings. Attackers may use this method
to bypass system parameter checks in order to get information or
privileges from a web server.
BARE-BYTE-UNICODING-
ENCODING ATTACK
ENCODING ATTACK
Bare byte encoding uses non-ASCII characters as valid values in
decoding UTF-8 values. This is NOT in the HTTP standard, as all
non-ASCII values have to be encoded with a %. Bare byte
encoding allows the user to emulate an IIS server and interpret
non-standard encodings correctly.
decoding UTF-8 values. This is NOT in the HTTP standard, as all
non-ASCII values have to be encoded with a %. Bare byte
encoding allows the user to emulate an IIS server and interpret
non-standard encodings correctly.
BASE36-ENCODING
ATTACK
ATTACK
This is a rule to decode base36-encoded characters. This rule can
detect attacks where malicious attackers use base36-encoding to
encode attack strings. Attackers may use this method to bypass
system parameter checks in order to get information or privileges
from a web server.
detect attacks where malicious attackers use base36-encoding to
encode attack strings. Attackers may use this method to bypass
system parameter checks in order to get information or privileges
from a web server.
DIRECTORY-TRAVERSAL
ATTACK
ATTACK
This rule normalizes directory traversals and self-referential
directories. So, “/abc/this_is_not_a_real_dir/../xyz” get normalized
to “/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a
user wants to configure an alert, then specify “yes”, otherwise “no”.
This alert may give false positives since some web sites refer to
files using directory traversals.
directories. So, “/abc/this_is_not_a_real_dir/../xyz” get normalized
to “/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a
user wants to configure an alert, then specify “yes”, otherwise “no”.
This alert may give false positives since some web sites refer to
files using directory traversals.
DOUBLE-ENCODING
ATTACK
ATTACK
This rule is IIS specific. IIS does two passes through the request
URI, doing decodes in each one. In the first pass, IIS encoding
(UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second
pass ASCII, bare byte, and %u encodings are done.
URI, doing decodes in each one. In the first pass, IIS encoding
(UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second
pass ASCII, bare byte, and %u encodings are done.
IIS-BACKSLASH-EVASION
ATTACK
ATTACK
This is an IIS emulation rule that normalizes backslashes to
slashes. Therefore, a request-URI of “/abc\xyz” gets normalized to
“/abc/xyz”.
slashes. Therefore, a request-URI of “/abc\xyz” gets normalized to
“/abc/xyz”.
IIS-UNICODE-
CODEPOINT-ENCODING
ATTACK
CODEPOINT-ENCODING
ATTACK
This rule can detect attacks which send attack strings containing
non-ASCII characters encoded by IIS Unicode. IIS Unicode
encoding references the unicode.map file. Attackers may use this
method to bypass system parameter checks in order to get
information or privileges from a web server.
non-ASCII characters encoded by IIS Unicode. IIS Unicode
encoding references the unicode.map file. Attackers may use this
method to bypass system parameter checks in order to get
information or privileges from a web server.
MULTI-SLASH-ENCODING
ATTACK
ATTACK
This rule normalizes multiple slashes in a row, so something like:
“abc/////////xyz” get normalized to “abc/xyz”.
“abc/////////xyz” get normalized to “abc/xyz”.
NON-RFC-DEFINED-CHAR
ATTACK
ATTACK
This rule lets you receive a log or alert if certain non-RFC
characters are used in a request URI. For instance, you may want
to know if there are NULL bytes in the request-URI.
characters are used in a request URI. For instance, you may want
to know if there are NULL bytes in the request-URI.