Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting the “Illegal Character in URI” error in Deep Security

    • Updated:
    • 13 Mar 2020
    • Product/Version:
    • Deep Security 8.0
    • Platform:
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 4 64-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Linux - SuSE 10
    • Linux - SuSE 11
    • Ubuntu 10.04 32-bit
    • Ubuntu 10.04 64-bit
    • Ubuntu 10.1 32-bit
    • Ubuntu 10.1 64-bit
    • Ubuntu 11.04 32-bit
    • Ubuntu 11.04 64-bit
    • Ubuntu 9.1 32-bit
    • Ubuntu 9.1 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

Use this guide if you encounter an "Illegal Character in URI" error in the Deep Security logs.

Details
Public

This issue is typically caused by the following:

  • The DPI rule 1000128 - HTTP Protocol Decoding is enabled.

    HTTP Protocol Decoding enabled

  • The protected server is a web server which receives URLs that violate the rules.

In most instances, the rules can be modified so that “Illegal Character in URI” will stop appearing. 

 
If you are using Deep Security 9.0, refer to this KB article for the procedure: "Illegal character in URI" appears in Deep Security 9.0.

To resolve the issue:

  1. Open the Deep Security Manager (DSM) console.
  2. Open the DPI logs showing the error.
  3. Locate the Payload data.

    The character before the red character is the one that triggered the rule. In the example below, the trigger is the 0xF6 hexadecimal character.

    locate payload data

  1. Open the DSM console.
  2. Determine if you will apply the rule to one computer, to a specific security profile, or globally, and then do one of the following:
    • To apply the rule to a specific computer:
      1. Open the computer and then right-click the 1000128 – HTTP Decoding rule.
      2. Select Properties (For This Computer).
    • To apply the rule to a security profile:
      1. Open the security profile, and then right-click the 1000128 – HTTP Decoding rule.
      2. Select Properties (For This Security Profile).
    • To apply the rule globally:
      1. From the main console, go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
      2. Double-click the 1000128 – HTTP Decoding rule.
  3. Go to the Configuration tab and then untick Inherit. This will allow you to configure the rule from the security profile.
  4. Apply the correct changes.  In this case, we will allow “0xf6” by doing either of the following:
    • Select the Allow raw character range 0x0-0x20 and 0x7f-0xFF in a URI check box.
    • Select the Use a custom list of characters disallowed in a URI, and then remove “0xf6” from the Specify all raw characters that are not allowed in a URI text box. 

      allow characters in URI

  5. Click Save

There are three levels in verifying if the Agent has the configuration.

  1. Verify on the computer level.
    1. Open the Deep Security console.
    2. Go to Computers on the left panel.
    3. Right-click the computer that has the issue and then click Properties.
    4. Go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
    5. Double-click the 1000128 – HTTP Decoding rule.
    6. Go to the Configuration tab.
    7. Verify if the change in settings were applied on the computer level.  If the new settings were not deployed, you may need to apply the settings directly on the computer level.
  2. Verify on the security profile.
    1. Open the Deep Security console.
    2. Go to Security Profiles on the left panel.
    3. Open the security profile applied to the computer.
    4. Go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
    5. Double-click the 1000128 – HTTP Decoding rule.
    6. Go to the Configuration tab to see the configured changes in the security profile.
  3. Verify on the global level (if the DPI rule was modified on the global level).
    1. Open the Deep Security console.
    2. Go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
    3. Double-click the 1000128 – HTTP Decoding rule to see the new settings.
Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1096566
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.
Related Articles