ZyXEL Communications 200 Series User Manual

Chapter 30 ADP

ZyWALL USG 100/200 Series User’s Guide

528

OVERSIZE-CHUNK-
ENCODING ATTACK

This rule is an anomaly detector for abnormally large chunk sizes.
This picks up the apache chunk encoding exploits and may also be
triggered on HTTP tunneling that uses chunk encoding.

OVERSIZE-REQUEST-URI-
DIRECTORY ATTACK

This rule takes a non-zero positive integer as an argument. The
argument specifies the max character directory length for URL
directory. If a URL directory is larger than this argument size, an
alert is generated. A good argument value is 300 characters. This
should limit the alerts to IDS evasion type attacks, like whisker.

SELF-DIRECTORY-
TRAVERSAL ATTACK

This rule normalizes self-referential directories. So, “/abc/./xyz” gets
normalized to “/abc/xyz”.

U-ENCODING ATTACK

This rule emulates the IIS %u encoding scheme. The %u encoding
scheme starts with a %u followed by 4 characters, like %uXXXX.
The XXXX is a hex encoded value that correlates to an IIS unicode
codepoint. This is an ASCII value. An ASCII character is encoded
like, %u002f = /, %u002e = ., etc.

UTF-8-ENCODING
ATTACK

The UTF-8 decode rule decodes standard UTF-8 unicode
sequences that are in the URI. This abides by the unicode standard
and only uses % encoding. Apache uses this standard, so for any
Apache servers, make sure you have this option turned on. When
this rule is enabled, ASCII decoding is also enabled to enforce
correct functioning.

WEBROOT-DIRECTORY-
TRAVERSAL ATTACK

This is when a directory traversal traverses past the web server root
directory. This generates much fewer false positives than the
directory option, because it doesn’t alert on directory traversals that
stay within the web server directory structure. It only alerts when the
directory traversals go past the web server root directory, which is
associated with certain web attacks.

TCP Decoder

BAD-LENGTH-OPTIONS
ATTACK

This is when a TCP packet is sent where the TCP option length field
is not the same as what it actually is or is 0. This may cause some
applications to crash.

EXPERIMENTAL-OPTIONS
ATTACK

This is when a TCP packet is sent which contains non-RFC-
complaint options. This may cause some applications to crash.

OBSOLETE-OPTIONS
ATTACK

This is when a TCP packet is sent which contains obsolete RFC
options.

OVERSIZE-OFFSET
ATTACK

This is when a TCP packet is sent where the TCP data offset is
larger than the payload.

TRUNCATED-OPTIONS
ATTACK

This is when a TCP packet is sent which doesn’t have enough data
to read. This could mean the packet was truncated.

TTCP-DETECTED ATTACK

T/TCP provides a way of bypassing the standard three-way
handshake found in TCP, thus speeding up transactions. However,
this could lead to unauthorized access to the system by spoofing
connections.

UNDERSIZE-LEN ATTACK

This is when a TCP packet is sent which has a TCP datagram length
of less than 20 bytes. This may cause some applications to crash.

UNDERSIZE-OFFSET
ATTACK

This is when a TCP packet is sent which has a TCP header length of
less than 20 bytes.This may cause some applications to crash.

UDP Decoder

OVERSIZE-LEN ATTACK

This is when a UDP packet is sent which has a UDP length field of
greater than the actual packet length. This may cause some
applications to crash.

Table 170 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION