next up previous contents
Next: Example Up: HTTP Inspect Previous: Example Multiple IP Configuration   Contents

Server Configuration Options

Important: Some configuration options have an argument of `yes' or `no'. This argument specifies whether the user wants the configuration option to generate an HTTP Inspect alert or not. The `yes/no' argument does not specify whether the configuration option itself is on or off, only the alerting functionality. In other words, whether set to `yes' or 'no', HTTP normalization will still occur, and rules based on HTTP traffic will still trigger.

36.
profile $<$all$\vert$apache$\vert$iis$\vert$iis5_0$\vert$iis4_0$>$

Users can configure HTTP Inspect by using pre-defined HTTP server profiles. Profiles allow the user to easily configure the preprocessor for a certain type of server, but are not required for proper operation.

There are five profiles available: all, apache, iis, iis5_0, and iis4_0.

35-A.
all

The all profile is meant to normalize the URI using most of the common tricks available. We alert on the more serious forms of evasions. This is a great profile for detecting all types of attacks, regardless of the HTTP server. profile all sets the configuration options described in Table 2.3.


Table 2.3: Options for the ``all'' Profile
Option Setting
server_flow_depth 300
client_flow_depth 300
post_depth 0
chunk encoding alert on chunks larger than 500000 bytes
iis_unicode_map codepoint map in the global configuration
ASCII decoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
apache whitespace on, alert off
double decoding on, alert on
%u decoding on, alert on
bare byte decoding on, alert on
iis unicode codepoints on, alert on
iis backslash on, alert off
iis delimiter on, alert off
webroot on, alert on
non_strict URL parsing on
tab_uri_delimiter is set
max_header_length 0, header length not checked
max_spaces 200
max_headers 0, number of headers not checked

35-B.
apache

The apache profile is used for Apache web servers. This differs from the iis profile by only accepting UTF-8 standard Unicode encoding and not accepting backslashes as legitimate slashes, like IIS does. Apache also accepts tabs as whitespace. profile apache sets the configuration options described in Table 2.4.


Table 2.4: Options for the apache Profile
Option Setting
server_flow_depth 300
client_flow_depth 300
post_depth 0
chunk encoding alert on chunks larger than 500000 bytes
ASCII decoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
webroot on, alert on
apache whitespace on, alert on
utf_8 encoding on, alert off
non_strict url parsing on
tab_uri_delimiter is set
max_header_length 0, header length not checked
max_spaces 200
max_headers 0, number of headers not checked

35-C.
iis

The iis profile mimics IIS servers. So that means we use IIS Unicode codemaps for each server, %u encoding, bare-byte encoding, double decoding, backslashes, etc. profile iis sets the configuration options described in Table 2.5.


Table 2.5: Options for the iis Profile
Option Setting
server_flow_depth 300
client_flow_depth 300
post_depth -1
chunk encoding alert on chunks larger than 500000 bytes
iis_unicode_map codepoint map in the global configuration
ASCII decoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
webroot on, alert on
double decoding on, alert on
%u decoding on, alert on
bare byte decoding on, alert on
iis unicode codepoints on, alert on
iis backslash on, alert off
iis delimiter on, alert on
apache whitespace on, alert on
non_strict URL parsing on
max_header_length 0, header length not checked
max_spaces 200
max_headers 0, number of headers not checked

35-D.
iis4_0, iis5_0

In IIS 4.0 and IIS 5.0, there was a double decoding vulnerability. These two profiles are identical to iis, except they will alert by default if a URL has a double encoding. Double decode is not supported in IIS 5.1 and beyond, so it's disabled by default.

35-E.
default, no profile

The default options used by HTTP Inspect do not use a profile and are described in Table 2.6.


Table 2.6: Default HTTP Inspect Options
Option Setting
port 80
server_flow_depth 300
client_flow_depth 300
post_depth -1
chunk encoding alert on chunks larger than 500000 bytes
ASCII decoding on, alert off
utf_8 encoding on, alert off
multiple slash on, alert off
directory normalization on, alert off
webroot on, alert on
iis backslash on, alert off
apache whitespace on, alert off
iis delimiter on, alert off
non_strict URL parsing on
max_header_length 0, header length not checked
max_spaces 200
max_headers 0, number of headers not checked

Profiles must be specified as the first server option and cannot be combined with any other options except:

  • ports
  • iis_unicode_map
  • allow_proxy_use
  • server_flow_depth
  • client_flow_depth
  • post_depth
  • no_alerts
  • inspect_uri_only
  • oversize_dir_length
  • normalize_headers
  • normalize_cookies
  • normalize_utf
  • max_header_length
  • max_spaces
  • max_headers
  • extended_response_inspection
  • enable_cookie
  • inspect_gzip
  • unlimited_decompress
  • normalize_javascript
  • max_javascript_whitespaces
  • enable_xff
  • http_methods
  • log_uri
  • log_hostname
  • small_chunk_length

These options must be specified after the profile option.

next up previous contents
Next: Example Up: HTTP Inspect Previous: Example Multiple IP Configuration   Contents
Eugene Misnik 2013-05-08