Home » ZyXEL Manuals » Networking » ZyXEL ZyWALL USG 2000 » Manual Viewer

ZyXEL ZyWALL USG 2000 User Guide - Page 614

Table 166

Get ZyXEL ZyWALL USG 2000 PDF manuals and user guides

View all ZyXEL ZyWALL USG 2000 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 614 highlights

Chapter 35 ADP Table 166 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION DOUBLE-ENCODING ATTACK This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second pass ASCII, bare byte, and %u encodings are done. IIS-BACKSLASHEVASION ATTACK This is an IIS emulation rule that normalizes backslashes to slashes. Therefore, a request-URI of "/abc\xyz" gets normalized to "/abc/xyz". IIS-UNICODECODEPOINT-ENCODING ATTACK This rule can detect attacks which send attack strings containing non-ASCII characters encoded by IIS Unicode. IIS Unicode encoding references the unicode.map file. Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server. MULTI-SLASHENCODING ATTACK This rule normalizes multiple slashes in a row, so something like: "abc/////////xyz" get normalized to "abc/xyz". NON-RFC-DEFINEDCHAR ATTACK This rule lets you receive a log or alert if certain non-RFC characters are used in a request URI. For instance, you may want to know if there are NULL bytes in the request-URI. NON-RFC-HTTPDELIMITER ATTACK This is when a newline "\n" character is detected as a delimiter. This is non-standard but is accepted by both Apache and IIS web servers. OVERSIZE-CHUNKENCODING ATTACK This rule is an anomaly detector for abnormally large chunk sizes. This picks up the apache chunk encoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding. OVERSIZE-REQUESTURI-DIRECTORY ATTACK This rule takes a non-zero positive integer as an argument. The argument specifies the max character directory length for URL directory. If a URL directory is larger than this argument size, an alert is generated. A good argument value is 300 characters. This should limit the alerts to IDS evasion type attacks, like whisker. SELF-DIRECTORYTRAVERSAL ATTACK This rule normalizes self-referential directories. So, "/abc/./ xyz" gets normalized to "/abc/xyz". U-ENCODING ATTACK This rule emulates the IIS %u encoding scheme. The %u encoding scheme starts with a %u followed by 4 characters, like %uXXXX. The XXXX is a hex encoded value that correlates to an IIS unicode codepoint. This is an ASCII value. An ASCII character is encoded like, %u002f = /, %u002e = ., etc. UTF-8-ENCODING ATTACK The UTF-8 decode rule decodes standard UTF-8 unicode sequences that are in the URI. This abides by the unicode standard and only uses % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. 614 ZyWALL USG 2000 User's Guide

Section	Page
ZyWALL USG 2000	1
About This User's Guide	3
Document Conventions	6
Safety Warnings	8
Contents Overview	9
Table of Contents	11
User’s Guide	31
Introducing the ZyWALL	33
1.1 Overview and Key Default Settings	33
1.2 Rack-mounted Installation	33
1.2.1 Rack-Mounted Installation Procedure	34
1.3 Front Panel	35
1.3.1 Dual Personality Interfaces	35
1.3.2 Maximizing Throughput	39
1.3.3 Front Panel LEDs	39
1.4 Management Overview	40
1.5 Starting and Stopping the ZyWALL	41
Features and Applications	43
2.1 Features	43
2.2 Applications	45
2.2.1 VPN Connectivity	46
2.2.2 SSL VPN Network Access	46
2.2.3 User-Aware Access Control	48
2.2.4 Multiple WAN Interfaces	48
2.2.5 Device HA	49
Web Configurator	51
3.1 Web Configurator Requirements	51
3.2 Web Configurator Access	51
3.3 Web Configurator Screens Overview	53
3.3.1 Title Bar	54
3.3.2 Navigation Panel	54
3.3.3 Main Window	60
3.3.4 Tables and Lists	63
Installation Setup Wizard	67
4.1 Installation Setup Wizard Screens	67
4.1.1 Internet Access Setup - WAN Interface	68
4.1.2 Internet Access: Ethernet	68
4.1.3 Internet Access: PPPoE	70
4.1.4 Internet Access: PPTP	71
4.1.5 ISP Parameters	71
4.1.6 Internet Access Setup - Second WAN Interface	73
4.1.7 Internet Access - Finish	73
4.2 Device Registration	74
Quick Setup	77
5.1 Quick Setup Overview	77
5.2 WAN Interface Quick Setup	78
5.2.1 Choose an Ethernet Interface	78
5.2.2 Select WAN Type	78
5.2.3 Configure WAN Settings	79
5.2.4 WAN and ISP Connection Settings	80
5.2.5 Quick Setup Interface Wizard: Summary	82
5.3 VPN Quick Setup	83
5.4 VPN Setup Wizard: Wizard Type	84
5.5 VPN Express Wizard - Scenario	85
5.5.1 VPN Express Wizard - Configuration	86
5.5.2 VPN Express Wizard - Summary	87
5.5.3 VPN Express Wizard - Finish	88
5.5.4 VPN Advanced Wizard - Scenario	89
5.5.5 VPN Advanced Wizard - Phase 1 Settings	90
5.5.6 VPN Advanced Wizard - Phase 2	92
5.5.7 VPN Advanced Wizard - Summary	93
5.5.8 VPN Advanced Wizard - Finish	94
Configuration Basics	95
6.1 Object-based Configuration	95
6.2 Zones, Interfaces, and Physical Ports	96
6.2.1 Interface Types	97
6.2.2 Default Interface and Zone Configuration	98
6.3 Terminology in the ZyWALL	99
6.4 Packet Flow	100
6.4.1 ZLD 2.20 Packet Flow Enhancements	100
6.4.2 Routing Table Checking Flow Enhancements	101
6.4.3 NAT Table Checking Flow	102
6.5 Feature Configuration Overview	103
6.5.1 Feature	104
6.5.2 Licensing Registration	104
6.5.3 Licensing Update	104
6.5.4 Interface	105
6.5.5 Trunks	105
6.5.6 Policy Routes	105
6.5.7 Static Routes	107
6.5.8 Zones	107
6.5.9 DDNS	107
6.5.10 NAT	107
6.5.11 HTTP Redirect	108
6.5.12 ALG	109
6.5.13 Auth. Policy	109
6.5.14 Firewall	109
6.5.15 IPSec VPN	110
6.5.16 SSL VPN	110
6.5.17 L2TP VPN	111
6.5.18 Application Patrol	111
6.5.19 Anti-Virus	112
6.5.20 IDP	112
6.5.21 ADP	112
6.5.22 Content Filter	112
6.5.23 Anti-Spam	113
6.5.24 Device HA	113
6.6 Objects	114
6.6.1 User/Group	114
6.7 System	115
6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM	115
6.7.2 Logs and Reports	116
6.7.3 File Manager	116
6.7.4 Diagnostics	116
6.7.5 Shutdown	116
Tutorials	119
7.1 How to Configure Interfaces, Port Grouping, and Zones	119
7.1.1 Configure a WAN Ethernet Interface	120
7.1.2 Configure Zones	120
7.1.3 Configure Port Grouping	121
7.2 How to Configure a Cellular Interface	122
7.3 How to Configure Load Balancing	124
7.3.1 Set Up Available Bandwidth on Ethernet Interfaces	125
7.3.2 Configure the WAN Trunk	126
7.4 How to Set Up an IPSec VPN Tunnel	127
7.4.1 Set Up the VPN Gateway	128
7.4.2 Set Up the VPN Connection	129
7.4.3 Configure Security Policies for the VPN Tunnel	130
7.5 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator	131
7.6 How to Configure User-aware Access Control	133
7.6.1 Set Up User Accounts	134
7.6.2 Set Up User Groups	134
7.6.3 Set Up User Authentication Using the RADIUS Server	135
7.6.4 Web Surfing Policies With Bandwidth Restrictions	137
7.6.5 Set Up MSN Policies	140
7.6.6 Set Up Firewall Rules	141
7.7 How to Use a RADIUS Server to Authenticate User Accounts based on Groups	142
7.8 How to Use Endpoint Security and Authentication Policies	144
7.8.1 Configure the Endpoint Security Objects	144
7.8.2 Configure the Authentication Policy	146
7.9 How to Configure Service Control	147
7.9.1 Allow HTTPS Administrator Access Only From the LAN	148
7.10 How to Allow Incoming H.323 Peer-to-peer Calls	150
7.10.1 Turn On the ALG	151
7.10.2 Set Up a NAT Policy For H.323	151
7.10.3 Set Up a Firewall Rule For H.323	153
7.11 How to Allow Public Access to a Web Server	154
7.11.1 Create the Address Objects	155
7.11.2 Configure NAT	155
7.11.3 Set Up a Firewall Rule	156
7.12 How to Use an IPPBX on the DMZ	157
7.12.1 Turn On the ALG	159
7.12.2 Create the Address Objects	159
7.12.3 Setup a NAT Policy for the IPPBX	160
7.12.4 Set Up a WAN to DMZ Firewall Rule for SIP	161
7.12.5 Set Up a DMZ to LAN Firewall Rule for SIP	162
7.13 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic	163
7.13.1 Create the Public IP Address Range Object	163
7.13.2 Configure the Policy Route	164
7.14 How to Use Active-Passive Device HA	164
7.14.1 Before You Start	165
7.14.2 Configure Device HA on the Master ZyWALL	166
7.14.3 Configure the Backup ZyWALL	168
7.14.4 Deploy the Backup ZyWALL	170
7.14.5 Check Your Device HA Setup	170
L2TP VPN Example	171
8.1 L2TP VPN Example	171
8.2 Configuring the Default L2TP VPN Gateway Example	171
8.3 Configuring the Default L2TP VPN Connection Example	173
8.4 Configuring the L2TP VPN Settings Example	174
8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000	175
8.5.1 Configuring L2TP in Windows Vista	175
8.5.2 Configuring L2TP in Windows XP	185
8.5.3 Configuring L2TP in Windows 2000	191
Technical Reference	207
Dashboard	209
9.1 Overview	209
9.1.1 What You Can Do in this Chapter	209
9.2 The Dashboard Screen	209
9.2.1 The CPU Usage Screen	216
9.2.2 The Memory Usage Screen	217
9.2.3 The Session Usage Screen	218
9.2.4 The VPN Status Screen	219
9.2.5 The DHCP Table Screen	219
9.2.6 The Number of Login Users Screen	220
Monitor	223
10.1 Overview	223
10.1.1 What You Can Do in this Chapter	223
10.2 The Port Statistics Screen	224
10.2.1 The Port Statistics Graph Screen	226
10.3 Interface Status Screen	227
10.4 The Traffic Statistics Screen	230
10.5 The Session Monitor Screen	233
10.6 The DDNS Status Screen	236
10.7 IP/MAC Binding Monitor	236
10.8 The Login Users Screen	238
10.9 Cellular Status Screen	239
10.10 Application Patrol Statistics	241
10.10.1 Application Patrol Statistics: General Setup	241
10.10.2 Application Patrol Statistics: Bandwidth Statistics	242
10.10.3 Application Patrol Statistics: Protocol Statistics	243
10.10.4 Application Patrol Statistics: Individual Protocol Statistics by Rule	244
10.11 The IPSec Monitor Screen	245
10.11.1 Regular Expressions in Searching IPSec SAs	247
10.12 The SSL Connection Monitor Screen	248
10.13 L2TP over IPSec Session Monitor Screen	249
10.14 The Anti-Virus Statistics Screen	250
10.15 The IDP Statistics Screen	252
10.16 The Content Filter Statistics Screen	254
10.17 Content Filter Cache Screen	255
10.18 The Anti-Spam Statistics Screen	258
10.19 The Anti-Spam Status Screen	260
10.20 Log Screen	261
Registration	265
11.1 Overview	265
11.1.1 What You Can Do in this Chapter	265
11.1.2 What you Need to Know	265
11.2 The Registration Screen	267
11.3 The Service Screen	269
Signature Update	271
12.1 Overview	271
12.1.1 What You Can Do in this Chapter	271
12.1.2 What you Need to Know	271
12.2 The Antivirus Update Screen	272
12.3 The IDP/AppPatrol Update Screen	273
12.4 The System Protect Update Screen	275
Interfaces	277
13.1 Interface Overview	277
13.1.1 What You Can Do in this Chapter	277
13.1.2 What You Need to Know	278
13.2 Port Grouping	280
13.2.1 Port Grouping Overview	281
13.2.2 Port Grouping Screen	281
13.3 Ethernet Summary Screen	282
13.3.1 Ethernet Edit	284
13.3.2 Object References	291
13.4 PPP Interfaces	292
13.4.1 PPP Interface Summary	293
13.4.2 PPP Interface Add or Edit	295
13.5 Cellular Configuration Screen (3G)	299
13.5.1 Cellular Add/Edit Screen	301
13.6 VLAN Interfaces	308
13.6.1 VLAN Summary Screen	310
13.6.2 VLAN Add/Edit	311
13.7 Bridge Interfaces	318
13.7.1 Bridge Summary	320
13.7.2 Bridge Add/Edit	321
13.8 Auxiliary Interface	327
13.8.1 Auxiliary Interface Overview	327
13.8.2 Auxiliary	327
13.9 Virtual Interfaces	329
13.9.1 Virtual Interfaces Add/Edit	330
13.10 Interface Technical Reference	331
Trunks	337
14.1 Overview	337
14.1.1 What You Can Do in this Chapter	337
14.1.2 What You Need to Know	338
14.2 The Trunk Summary Screen	342
14.3 Configuring a Trunk	343
14.4 Trunk Technical Reference	345
Policy and Static Routes	347
15.1 Policy and Static Routes Overview	347
15.1.1 What You Can Do in this Chapter	347
15.1.2 What You Need to Know	348
15.2 Policy Route Screen	350
15.2.1 Policy Route Edit Screen	353
15.3 IP Static Route Screen	357
15.3.1 Static Route Add/Edit Screen	358
15.4 Policy Routing Technical Reference	359
Routing Protocols	363
16.1 Routing Protocols Overview	363
16.1.1 What You Can Do in this Chapter	363
16.1.2 What You Need to Know	363
16.2 The RIP Screen	364
16.3 The OSPF Screen	365
16.3.1 Configuring the OSPF Screen	369
16.3.2 OSPF Area Add/Edit Screen	372
16.3.3 Virtual Link Add/Edit Screen	373
16.4 Routing Protocol Technical Reference	374
Zones	377
17.1 Zones Overview	377
17.1.1 What You Can Do in this Chapter	377
17.1.2 What You Need to Know	378
17.2 The Zone Screen	379
17.3 Zone Edit	380
DDNS	381
18.1 DDNS Overview	381
18.1.1 What You Can Do in this Chapter	381
18.1.2 What You Need to Know	381
18.2 The DDNS Screen	382
18.2.1 The Dynamic DNS Add/Edit Screen	384
NAT	387
19.1 NAT Overview	387
19.1.1 What You Can Do in this Chapter	387
19.1.2 What You Need to Know	388
19.2 The NAT Screen	388
19.2.1 The NAT Add/Edit Screen	390
19.3 NAT Technical Reference	393
HTTP Redirect	397
20.1 Overview	397
20.1.1 What You Can Do in this Chapter	397
20.1.2 What You Need to Know	398
20.2 The HTTP Redirect Screen	399
20.2.1 The HTTP Redirect Edit Screen	400
ALG	401
21.1 ALG Overview	401
21.1.1 What You Can Do in this Chapter	401
21.1.2 What You Need to Know	402
21.1.3 Before You Begin	405
21.2 The ALG Screen	405
21.3 ALG Technical Reference	407
IP/MAC Binding	409
22.1 IP/MAC Binding Overview	409
22.1.1 What You Can Do in this Chapter	409
22.1.2 What You Need to Know	410
22.2 IP/MAC Binding Summary	410
22.2.1 IP/MAC Binding Edit	411
22.2.2 Static DHCP Edit	412
22.3 IP/MAC Binding Exempt List	413
Authentication Policy	415
23.1 Overview	415
23.1.1 What You Can Do in this Chapter	415
23.1.2 What You Need to Know	416
23.2 Authentication Policy Screen	416
23.2.1 Creating/Editing an Authentication Policy	419
Firewall	423
24.1 Overview	423
24.1.1 What You Can Do in this Chapter	423
24.1.2 What You Need to Know	424
24.1.3 Firewall Rule Example Applications	426
24.1.4 Firewall Rule Configuration Example	429
24.2 The Firewall Screen	431
24.2.1 Configuring the Firewall Screen	432
24.2.2 The Firewall Add/Edit Screen	435
24.3 The Session Limit Screen	436
24.3.1 The Session Limit Add/Edit Screen	438
IPSec VPN	441
25.1 IPSec VPN Overview	441
25.1.1 What You Can Do in this Chapter	441
25.1.2 What You Need to Know	442
25.1.3 Before You Begin	444
25.2 The VPN Connection Screen	444
25.2.1 The VPN Connection Add/Edit (IKE) Screen	446
25.2.2 The VPN Connection Add/Edit Manual Key Screen	453
25.3 The VPN Gateway Screen	456
25.3.1 The VPN Gateway Add/Edit Screen	457
25.4 VPN Concentrator	465
25.4.1 IPSec VPN Concentrator Example	465
25.4.2 VPN Concentrator Screen	468
25.4.3 The VPN Concentrator Add/Edit Screen	468
25.5 IPSec VPN Background Information	469
SSL VPN	481
26.1 Overview	481
26.1.1 What You Can Do in this Chapter	481
26.1.2 What You Need to Know	481
26.2 The SSL Access Privilege Screen	484
26.2.1 The SSL Access Policy Add/Edit Screen	486
26.3 The SSL Global Setting Screen	488
26.3.1 How to Upload a Custom Logo	490
26.4 Establishing an SSL VPN Connection	491
SSL User Screens	493
27.1 Overview	493
27.1.1 What You Need to Know	493
27.2 Remote User Login	494
27.3 The SSL VPN User Screens	499
27.4 Bookmarking the ZyWALL	500
27.5 Logging Out of the SSL VPN User Screens	500
SSL User Application Screens	503
28.1 SSL User Application Screens Overview	503
28.2 The Application Screen	503
SSL User File Sharing	505
29.1 Overview	505
29.1.1 What You Need to Know	505
29.2 The Main File Sharing Screen	506
29.3 Opening a File or Folder	506
29.3.1 Downloading a File	508
29.3.2 Saving a File	509
29.4 Creating a New Folder	509
29.5 Renaming a File or Folder	510
29.6 Deleting a File or Folder	510
29.7 Uploading a File	511
ZyWALL SecuExtender	513
30.1 The ZyWALL SecuExtender Icon	513
30.2 Statistics	514
30.3 View Log	515
30.4 Suspend and Resume the Connection	515
30.5 Stop the Connection	516
30.6 Uninstalling the ZyWALL SecuExtender	516
L2TP VPN	517
31.1 Overview	517
31.1.1 What You Can Do in this Chapter	517
31.1.2 What You Need to Know	517
31.2 L2TP VPN Screen	519
Application Patrol	521
32.1 Overview	521
32.1.1 What You Can Do in this Chapter	521
32.1.2 What You Need to Know	522
32.1.3 Application Patrol Bandwidth Management Examples	527
32.2 Application Patrol General Screen	531
32.3 Application Patrol Applications	532
32.3.1 The Application Patrol Edit Screen	533
32.3.2 The Application Patrol Policy Edit Screen	537
32.4 The Other Applications Screen	540
32.4.1 The Other Applications Add/Edit Screen	543
Anti-Virus	547
33.1 Overview	547
33.1.1 What You Can Do in this Chapter	547
33.1.2 What You Need to Know	548
33.1.3 Before You Begin	550
33.2 Anti-Virus Summary Screen	550
33.2.1 Anti-Virus Policy Add or Edit Screen	553
33.3 Anti-Virus Black List	555
33.4 Anti-Virus Black List or White List Add/Edit	556
33.5 Anti-Virus White List	557
33.6 Signature Searching	558
33.7 Anti-Virus Technical Reference	561
IDP	563
34.1 Overview	563
34.1.1 What You Can Do in this Chapter	563
34.1.2 What You Need To Know	563
34.1.3 Before You Begin	564
34.2 The IDP General Screen	565
34.3 Introducing IDP Profiles	567
34.3.1 Base Profiles	568
34.4 The Profile Summary Screen	569
34.5 Creating New Profiles	570
34.5.1 Procedure To Create a New Profile	570
34.6 Profiles: Packet Inspection	571
34.6.1 Profile > Group View Screen	571
34.6.2 Policy Types	574
34.6.3 IDP Service Groups	575
34.6.4 Profile > Query View Screen	576
34.6.5 Query Example	579
34.7 Introducing IDP Custom Signatures	581
34.7.1 IP Packet Header	581
34.8 Configuring Custom Signatures	582
34.8.1 Creating or Editing a Custom Signature	584
34.8.2 Custom Signature Example	590
34.8.3 Applying Custom Signatures	592
34.8.4 Verifying Custom Signatures	593
34.9 IDP Technical Reference	594
ADP	597
35.1 Overview	597
35.1.1 ADP and IDP Comparison	597
35.1.2 What You Can Do in this Chapter	597
35.1.3 What You Need To Know	597
35.1.4 Before You Begin	598
35.2 The ADP General Screen	599
35.3 The Profile Summary Screen	600
35.3.1 Base Profiles	601
35.3.2 Configuring The ADP Profile Summary Screen	601
35.3.3 Creating New ADP Profiles	602
35.3.4 Traffic Anomaly Profiles	602
35.3.5 Protocol Anomaly Profiles	605
35.3.6 Protocol Anomaly Configuration	605
35.4 ADP Technical Reference	609
Content Filtering	617
36.1 Overview	617
36.1.1 What You Can Do in this Chapter	617
36.1.2 What You Need to Know	617
36.1.3 Before You Begin	619
36.2 Content Filter General Screen	619
36.3 Content Filter Policy Add or Edit Screen	622
36.4 Content Filter Profile Screen	624
36.5 Content Filter Categories Screen	624
36.5.1 Content Filter Blocked and Warning Messages	636
36.6 Content Filter Customization Screen	637
36.7 Content Filter Technical Reference	639
Content Filter Reports	641
37.1 Overview	641
37.2 Viewing Content Filter Reports	641
Anti-Spam	649
38.1 Overview	649
38.1.1 What You Can Do in this Chapter	649
38.1.2 What You Need to Know	649
38.2 Before You Begin	651
38.3 The Anti-Spam General Screen	651
38.3.1 The Anti-Spam Policy Add or Edit Screen	653
38.4 The Anti-Spam Black List Screen	655
38.4.1 The Anti-Spam Black or White List Add/Edit Screen	657
38.4.2 Regular Expressions in Black or White List Entries	658
38.5 The Anti-Spam White List Screen	659
38.6 The DNSBL Screen	660
38.7 Anti-Spam Technical Reference	662
Device HA	667
39.1 Overview	667
39.1.1 What You Can Do in this Chapter	667
39.1.2 What You Need to Know	667
39.1.3 Before You Begin	668
39.2 Device HA General	669
39.3 The Active-Passive Mode Screen	670
39.3.1 Configuring Active-Passive Mode Device HA	672
39.4 Configuring an Active-Passive Mode Monitored Interface	675
39.5 The Legacy Mode Screen	677
39.6 Configuring the Legacy Mode Screen	678
39.7 Device HA Technical Reference	682
User/Group	689
40.1 Overview	689
40.1.1 What You Can Do in this Chapter	689
40.1.2 What You Need To Know	689
40.2 User Summary Screen	692
40.2.1 User Add/Edit Screen	692
40.3 User Group Summary Screen	695
40.3.1 Group Add/Edit Screen	696
40.4 Setting Screen	697
40.4.1 Default User Authentication Timeout Settings Edit Screens	700
40.4.2 User Aware Login Example	702
40.5 User /Group Technical Reference	703
Addresses	705
41.1 Overview	705

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013
1,014
1,015
1,016
1,017
1,018
1,019
1,020
1,021
1,022
1,023
1,024
1,025
1,026
1,027
1,028
1,029
1,030
1,031
1,032
1,033
1,034
1,035
1,036
1,037
1,038
1,039
1,040
1,041
1,042
1,043
1,044
1,045
1,046
1,047
1,048
1,049
1,050
1,051
1,052
1,053
1,054
1,055
1,056
1,057
1,058
1,059
1,060
1,061
1,062
1,063
1,064
1,065
1,066
1,067
1,068
1,069
1,070
1,071
1,072
1,073
1,074
1,075
1,076
1,077
1,078
1,079
1,080
1,081

Match case Limit results 1 per page

Chapter 35 ADP

ZyWALL USG 2000 User’s Guide

614

DOUBLE-ENCODING

ATTACK

This rule is IIS specific. IIS does two passes through the

request URI, doing decodes in each one. In the first pass,

IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is

done. In the second pass ASCII, bare byte, and %u

encodings are done.

IIS-BACKSLASH-

EVASION ATTACK

This is an IIS emulation rule that normalizes backslashes to

slashes. Therefore, a request-URI of “/abc\xyz” gets

normalized to “/abc/xyz”.

IIS-UNICODE-

CODEPOINT-ENCODING

ATTACK

This rule can detect attacks which send attack strings

containing non-ASCII characters encoded by IIS Unicode.

IIS Unicode encoding references the unicode.map file.

Attackers may use this method to bypass system

parameter checks in order to get information or privileges

from a web server.

MULTI-SLASH-

ENCODING ATTACK

This rule normalizes multiple slashes in a row, so something

like: “abc/////////xyz” get normalized to “abc/xyz”.

NON-RFC-DEFINED-

CHAR ATTACK

This rule lets you receive a log or alert if certain non-RFC

characters are used in a request URI. For instance, you may

want to know if there are NULL bytes in the request-URI.

NON-RFC-HTTP-

DELIMITER ATTACK

This is when a newline “\n” character is detected as a

delimiter. This is non-standard but is accepted by both

Apache and IIS web servers.

OVERSIZE-CHUNK-

ENCODING ATTACK

This rule is an anomaly detector for abnormally large chunk

sizes. This picks up the apache chunk encoding exploits and

may also be triggered on HTTP tunneling that uses chunk

encoding.

OVERSIZE-REQUEST-

URI-DIRECTORY ATTACK

This rule takes a non-zero positive integer as an argument.

The argument specifies the max character directory length

for URL directory. If a URL directory is larger than this

argument size, an alert is generated. A good argument

value is 300 characters. This should limit the alerts to IDS

evasion type attacks, like whisker.

SELF-DIRECTORY-

TRAVERSAL ATTACK

This rule normalizes self-referential directories. So, “/abc/./

xyz” gets normalized to “/abc/xyz”.

U-ENCODING ATTACK

This rule emulates the IIS %u encoding scheme. The %u

encoding scheme starts with a %u followed by 4

characters, like %uXXXX. The XXXX is a hex encoded value

that correlates to an IIS unicode codepoint. This is an ASCII

value. An ASCII character is encoded like, %u002f = /,

%u002e = ., etc.

UTF-8-ENCODING

ATTACK

The UTF-8 decode rule decodes standard UTF-8 unicode

sequences that are in the URI. This abides by the unicode

standard and only uses % encoding. Apache uses this

standard, so for any Apache servers, make sure you have

this option turned on. When this rule is enabled, ASCII

decoding is also enabled to enforce correct functioning.

Table 166

HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION