User's Manual

ManualsBrandsZyXEL ManualsNetworkingISG50

421

422

423

424

425

426

427

428

429

430

Chapter 26 ADP

ISG50 User’s Guide

426

OVERSIZE-REQUEST-URI-

DIRECTORY ATTACK

This rule takes a non-zero positive integer as an argument. The

argument specifies the max character directory length for URL

directory. If a URL directory is larger than this argument size, an

alert is generated. A good argument value is 300 characters. This

should limit the alerts to IDS evasion type attacks, like whisker.

SELF-DIRECTORY-

TRAVERSAL ATTACK

This rule normalizes self-referential directories. So, “/abc/./xyz”

gets normalized to “/abc/xyz”.

U-ENCODING ATTACK This rule emulates the IIS %u encoding scheme. The %u encoding

scheme starts with a %u followed by 4 characters, like %uXXXX.

The XXXX is a hex encoded value that correlates to an IIS unicode

codepoint. This is an ASCII value. An ASCII character is encoded

like, %u002f = /, %u002e = ., etc.

UTF-8-ENCODING ATTACK The UTF-8 decode rule decodes standard UTF-8 unicode sequences

that are in the URI. This abides by the unicode standard and only

uses % encoding. Apache uses this standard, so for any Apache

servers, make sure you have this option turned on. When this rule

is enabled, ASCII decoding is also enabled to enforce correct

functioning.

WEBROOT-DIRECTORY-

TRAVERSAL ATTACK

This is when a directory traversal traverses past the web server

root directory. This generates much fewer false positives than the

directory option, because it doesn’t alert on directory traversals

that stay within the web server directory structure. It only alerts

when the directory traversals go past the web server root directory,

which is associated with certain web attacks.

TCP Decoder

BAD-LENGTH-OPTIONS

ATTACK

This is when a TCP packet is sent where the TCP option length field

is not the same as what it actually is or is 0. This may cause some

applications to crash.

EXPERIMENTAL-OPTIONS

ATTACK

This is when a TCP packet is sent which contains non-RFC-

complaint options. This may cause some applications to crash.

OBSOLETE-OPTIONS

ATTACK

This is when a TCP packet is sent which contains obsolete RFC

options.

OVERSIZE-OFFSET ATTACK This is when a TCP packet is sent where the TCP data offset is

larger than the payload.

TRUNCATED-OPTIONS

ATTACK

This is when a TCP packet is sent which doesn’t have enough data

to read. This could mean the packet was truncated.

TTCP-DETECTED ATTACK T/TCP provides a way of bypassing the standard three-way

handshake found in TCP, thus speeding up transactions. However,

this could lead to unauthorized access to the system by spoofing

connections.

UNDERSIZE-LEN ATTACK This is when a TCP packet is sent which has a TCP datagram length

of less than 20 bytes. This may cause some applications to crash.

UNDERSIZE-OFFSET

ATTACK

This is when a TCP packet is sent which has a TCP header length of

less than 20 bytes.This may cause some applications to crash.

UDP Decoder

OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of

greater than the actual packet length. This may cause some

applications to crash.

TRUNCATED-HEADER

ATTACK

This is when a UDP packet is sent which has a UDP datagram

length of less the UDP header length. This may cause some

applications to crash.

UNDERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of

less than 8 bytes. This may cause some applications to crash.

Table 140 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL DESCRIPTION