Use this guide if you encounter an "Illegal Character in URI" error in the Deep Security logs.
This issue is typically caused by the following:
- The DPI rule 1000128 - HTTP Protocol Decoding is enabled.
- The protected server is a web server which receives URLs that violate the rules.
In most instances, the rules can be modified so that “Illegal Character in URI” will stop appearing.
To resolve the issue:
- Open the Deep Security Manager (DSM) console.
- Open the DPI logs showing the error.
- Locate the Payload data.
The character before the red character is the one that triggered the rule. In the example below, the trigger is the 0xF6 hexadecimal character.
- Open the DSM console.
- Determine if you will apply the rule to one computer, to a specific security profile, or globally, and then do one of the following:
- To apply the rule to a specific computer:
- Open the computer and then right-click the 1000128 – HTTP Decoding rule.
- Select Properties (For This Computer).
- To apply the rule to a security profile:
- Open the security profile, and then right-click the 1000128 – HTTP Decoding rule.
- Select Properties (For This Security Profile).
- To apply the rule globally:
- From the main console, go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
- Double-click the 1000128 – HTTP Decoding rule.
- To apply the rule to a specific computer:
- Go to the Configuration tab and then untick Inherit. This will allow you to configure the rule from the security profile.
- Apply the correct changes. In this case, we will allow “0xf6” by doing either of the following:
- Select the Allow raw character range 0x0-0x20 and 0x7f-0xFF in a URI check box.
- Select the Use a custom list of characters disallowed in a URI, and then remove “0xf6” from the Specify all raw characters that are not allowed in a URI text box.
- Click Save.
There are three levels in verifying if the Agent has the configuration.
- Verify on the computer level.
- Open the Deep Security console.
- Go to Computers on the left panel.
- Right-click the computer that has the issue and then click Properties.
- Go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
- Double-click the 1000128 – HTTP Decoding rule.
- Go to the Configuration tab.
- Verify if the change in settings were applied on the computer level. If the new settings were not deployed, you may need to apply the settings directly on the computer level.
- Verify on the security profile.
- Open the Deep Security console.
- Go to Security Profiles on the left panel.
- Open the security profile applied to the computer.
- Go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
- Double-click the 1000128 – HTTP Decoding rule.
- Go to the Configuration tab to see the configured changes in the security profile.
- Verify on the global level (if the DPI rule was modified on the global level).
- Open the Deep Security console.
- Go to Deep Packet Inspection > DPI Rules > Web Application Protection on the left panel.
- Double-click the 1000128 – HTTP Decoding rule to see the new settings.