The http_encode keyword will enable alerting based on encoding type present in a HTTP client request or a HTTP server response (per the configuration of HttpInspect 2.2.6).
There are several keywords associated with http_encode. The keywords 'uri', 'header' and 'cookie' determine the HTTP fields used to search for a particular encoding type. The keywords 'utf8', 'double_encode', 'non_ascii', 'uencode', 'iis_encode', 'ascii' and 'bare_byte' determine the encoding type which would trigger the alert. These keywords can be combined using a OR operation. Negation is allowed on these keywords.
The config option 'normalize_headers' needs to be turned on for rules to work with the keyword 'header'. The keyword 'cookie' is dependent on config options 'enable_cookie' and 'normalize_cookies' (see 2.2.6). This rule option will not be able to detect encodings if the specified HTTP fields are not NORMALIZED.
| Option | Description |
| uri | Check for the specified encoding type in HTTP client request URI field. |
| header | Check for the specified encoding type in HTTP request or HTTP response header fields (depending on the packet flow) |
| cookie | Check for the specified encoding type in HTTP request or HTTP response cookie header fields (depending on the packet flow) |
| utf8 | Check for utf8 encoding in the specified buffer |
| double_encode | Check for double encoding in the specified buffer |
| non_ascii | Check for non-ASCII encoding in the specified buffer |
| uencode | Check for u-encoding in the specified buffer |
| bare_byte | Check for bare byte encoding in the specified buffer |
| ascii | Check for ascii encoding in the specified buffer |
| iis_encode | Check for IIS Unicode encoding in the specified buffer |