next up previous contents
Next: Format Up: Payload Detection Rule Options Previous: Examples   Contents


http_encode

The http_encode keyword will enable alerting based on encoding type present in a HTTP client request or a HTTP server response (per the configuration of HttpInspect 2.2.6).

There are several keywords associated with http_encode. The keywords 'uri', 'header' and 'cookie' determine the HTTP fields used to search for a particular encoding type. The keywords 'utf8', 'double_encode', 'non_ascii', 'uencode', 'iis_encode', 'ascii' and 'bare_byte' determine the encoding type which would trigger the alert. These keywords can be combined using a OR operation. Negation is allowed on these keywords.

The config option 'normalize_headers' needs to be turned on for rules to work with the keyword 'header'. The keyword 'cookie' is dependent on config options 'enable_cookie' and 'normalize_cookies' (see 2.2.6). This rule option will not be able to detect encodings if the specified HTTP fields are not NORMALIZED.

Option Description
uri Check for the specified encoding type in HTTP client request URI field.
header Check for the specified encoding type in HTTP request or HTTP response header fields (depending on the packet flow)
cookie Check for the specified encoding type in HTTP request or HTTP response cookie header fields (depending on the packet flow)
utf8 Check for utf8 encoding in the specified buffer
double_encode Check for double encoding in the specified buffer
non_ascii Check for non-ASCII encoding in the specified buffer
uencode Check for u-encoding in the specified buffer
bare_byte Check for bare byte encoding in the specified buffer
ascii Check for ascii encoding in the specified buffer
iis_encode Check for IIS Unicode encoding in the specified buffer



Subsections
next up previous contents
Next: Format Up: Payload Detection Rule Options Previous: Examples   Contents
Eugene Misnik 2013-05-08