Views:

This issue is typically caused by the following:

  • The DPI rule 1008646 - Detect Illegal Characters In URI is enabled.

    1008646 - Detect Illegal Characters In URI

    The protected server is a web server which receives URLs that are violating the rules. With default configuration, this DPI rule will not trigger "Illegal Character in URI".

  • Raw character list is empty in default configuration. User can add the raw characters which are not expected in the protected web server URLS.

    Raw character list is empty

If user has configured raw characters in Specify raw characters that are not allowed in the URI text box, and many DPI events "Illegal Character In URI" appear, follow the procedure below to exclude the raw characters. In most instances, the rules can be modified to prevent the event from appearing.

 

If you are using Deep Security version 8.0 or lower, refer to this KB article for the procedure: Troubleshooting the "Illegal Character in URI" error in Deep Security.

To resolve the issue:

  1. Open the Deep Security Manager console.
  2. Open the IP logs showing the error.
  3. Locate the Payload data.

    The character before the red character is the one that triggered the rule. In the example below, the trigger is the 0xF6 hexadecimal character.

    locate payload data

  1. Open the Deep Security Manager console.
  2. Determine if you will apply the rule to one computer or to a specific security profile, and then do one of the following:
    • To apply the rule to a specific computer:
      1. Open the computer details.
      2. Go to the Intrusion Prevention section in the left-hand panel and then click the Assign/Unassign button.
      3. Double-click the 1008646 - Detect Illegal Characters In URI rule.
    • To apply the rule to a security profile:
      1. Go to Policies tab > Policies.
      2. Right-click the security profile, and then click Details.
      3. Go to the Intrusion Prevention section in the left-hand panel and then click the Assign/Unassign button.
      4. Double-click the 1008646 - Detect Illegal Characters In URI rule.
  3. Go to the Configuration tab and then untick Inherit. This will allow you to configure the rule from the security profile.
  4. Apply the correct changes. In this case, we will allow "0xf6" by removing it from the Specify raw characters that are not allowed in the URI text box.

    Specify raw characters that are not allowed in the URI

  5. Click Save

There are two levels in verifying if the Agent has the configuration.

  1. Verify on the computer level.
    1. Open the Deep Security console.
    2. Go to the Computers tab.
    3. Right-click the computer that has the issue and then click Details.
    4. Go to the Intrusion Prevention section in the left-hand panel and click the Assign/Unassign button.
    5. Double-click the 1008646 - Detect Illegal Characters In URI rule.
    6. Go to the Configuration tab.
    7. Verify if the changes in settings were applied on the computer level. If the new settings were not deployed, you may need to apply the settings directly on the computer level.
  2. Verify on the security profile.
    1. Open the Deep Security console.
    2. Go to Policies tab > Policies.
    3. Open the security profile applied to the computer.
    4. Go to the Intrusion Prevention section in the left-hand panel and click the Assign/Unassign button.
    5. Double-click the 1008646 - Detect Illegal Characters In URI rule.
    6. Go to the Configuration tab to see the configured changes in the security profile.
Keywords: Illegal Character in URI,HTTP Protocol Decoding,HTTP Decoding,DPI,URI Normalization,deep packet inspection rules,disallowed raw characters,1000128 HTTP Decoding rule,troubleshoot URI issue