The http_encode keyword will enable alerting based on encoding type present in a HTTP client request or a HTTP server response (per the configuration of HttpInspect 2.2.6).
There are several keywords associated with http_encode. The keywords 'uri', 'header' and 'cookie' determine the HTTP fields used to search for a particular encoding type. The keywords 'utf8', 'double_encode', 'non_ascii', 'uencode', 'iis_encode', 'ascii' and 'bare_byte' determine the encoding type which would trigger the alert. These keywords can be combined using a OR operation. Negation is allowed on these keywords.
The config option 'normalize_headers' needs to be turned on for rules to work with the keyword 'header'. The keyword 'cookie' is dependent on config options 'enable_cookie' and 'normalize_cookies' (see 2.2.6). This rule option will not be able to detect encodings if the specified HTTP fields are not NORMALIZED.
Option | Description |
uri | Check for the specified encoding type in HTTP client request URI field. |
header | Check for the specified encoding type in HTTP request or HTTP response header fields (depending on the packet flow) |
cookie | Check for the specified encoding type in HTTP request or HTTP response cookie header fields (depending on the packet flow) |
utf8 | Check for utf8 encoding in the specified buffer |
double_encode | Check for double encoding in the specified buffer |
non_ascii | Check for non-ASCII encoding in the specified buffer |
uencode | Check for u-encoding in the specified buffer |
bare_byte | Check for bare byte encoding in the specified buffer |
ascii | Check for ascii encoding in the specified buffer |
iis_encode | Check for IIS Unicode encoding in the specified buffer |