By default, Deep Security considers the following characters illegal according to RFC2396 and RFC3986:
|000||00||NUL (Null character|
|001||01||SOH (Start of Header)|
|002||02||STX (Start of Text)|
|003||03||ETX (End of Text)|
|004||04||EOT (End of Transmission)|
|009||09||HT (Horizontal Tab)|
|010||0A||LF (Line Feed)|
|011||0B||VT (Vertical Tab)|
|012||0C||FF (Form Feed)|
|013||0D||CR (Carriage Return)|
|014||0E||SO (Shift Out)|
|015||0F||SI (Shift In)|
|016||10||DLE (Data Link Escape)|
|017||11||DC1 (XON) (Device Control 1)|
|018||12||DC2 (Device Control 2)|
|019||13||DC3 (XOFF)(Device Control 3)|
|020||14||DC4 (Device Control 4)|
|021||15||NAK (Negative Acknowledgement)|
|022||16||SYN (Synchronous Idle)|
|023||17||ETB (End of Trans. Block)|
|025||19||EM (End of Medium)|
|028||1C||FS (File Separator)|
|029||1D||GS (Group Separator)|
|030||1E||RS (Request to Send)(Record Separator)|
|031||1F||US (Unit Separator)|
|>127||>7F||Extended Ascii Characters|
Today, many web applications may use some of the illegal characters listed above in URL requests. If you see an illegal character in the URI events in your DPI event logs, you may need to modify the Deep Security Agent (DSA) configuration to allow certain characters.
To allow characters from Hex 00 to Hex 7F, you need to configure the HTTP Protocol Decoding IPS filter by doing the following:
- Open the properties of the filter and then click the Configuration tab.
- Tick the Use a custom list of characters disallowed in a URI check box.
You will see the characters listed in the Raw section (not URI encoded) are the characters not allowed in all parts of URI box.
- Remove the characters that you would like to exempt from the illegal character list.
- Click OK to close the filter properties window.