ZyXEL ISG50-PSTN User Guide - Page 426
Utf-8-encoding Attack
View all ZyXEL ISG50-PSTN manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 426 highlights
Chapter 26 ADP Table 140 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION OVERSIZE-REQUEST-URIDIRECTORY ATTACK This rule takes a non-zero positive integer as an argument. The argument specifies the max character directory length for URL directory. If a URL directory is larger than this argument size, an alert is generated. A good argument value is 300 characters. This should limit the alerts to IDS evasion type attacks, like whisker. SELF-DIRECTORYTRAVERSAL ATTACK This rule normalizes self-referential directories. So, "/abc/./xyz" gets normalized to "/abc/xyz". U-ENCODING ATTACK This rule emulates the IIS %u encoding scheme. The %u encoding scheme starts with a %u followed by 4 characters, like %uXXXX. The XXXX is a hex encoded value that correlates to an IIS unicode codepoint. This is an ASCII value. An ASCII character is encoded like, %u002f = /, %u002e = ., etc. UTF-8-ENCODING ATTACK The UTF-8 decode rule decodes standard UTF-8 unicode sequences that are in the URI. This abides by the unicode standard and only uses % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. WEBROOT-DIRECTORYTRAVERSAL ATTACK This is when a directory traversal traverses past the web server root directory. This generates much fewer false positives than the directory option, because it doesn't alert on directory traversals that stay within the web server directory structure. It only alerts when the directory traversals go past the web server root directory, which is associated with certain web attacks. TCP Decoder BAD-LENGTH-OPTIONS ATTACK This is when a TCP packet is sent where the TCP option length field is not the same as what it actually is or is 0. This may cause some applications to crash. EXPERIMENTAL-OPTIONS ATTACK This is when a TCP packet is sent which contains non-RFCcomplaint options. This may cause some applications to crash. OBSOLETE-OPTIONS ATTACK This is when a TCP packet is sent which contains obsolete RFC options. OVERSIZE-OFFSET ATTACK This is when a TCP packet is sent where the TCP data offset is larger than the payload. TRUNCATED-OPTIONS ATTACK This is when a TCP packet is sent which doesn't have enough data to read. This could mean the packet was truncated. TTCP-DETECTED ATTACK T/TCP provides a way of bypassing the standard three-way handshake found in TCP, thus speeding up transactions. However, this could lead to unauthorized access to the system by spoofing connections. UNDERSIZE-LEN ATTACK This is when a TCP packet is sent which has a TCP datagram length of less than 20 bytes. This may cause some applications to crash. UNDERSIZE-OFFSET ATTACK This is when a TCP packet is sent which has a TCP header length of less than 20 bytes.This may cause some applications to crash. UDP Decoder OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash. TRUNCATED-HEADER ATTACK This is when a UDP packet is sent which has a UDP datagram length of less the UDP header length. This may cause some applications to crash. UNDERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length field of less than 8 bytes. This may cause some applications to crash. 426 ISG50 User's Guide