Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

HTTP protocol decoding in Deep Security

    • Updated:
    • 11 Sep 2015
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • N/A N/A
Summary

The HTTP Protocol Decoder DPI rule services two main functions:

  • It contains the logic to decode incoming HTTP requests into the proper pieces required to perform DPI.
  • It contains the configuration options to use when the DPI engine is performing URI normalization (i.e. ensuring proper URI encoding is used, detecting evasion attempts, etc.).

Learn all about the HTTP Protocol Decoder and its different configuration options.

Details
Public

While the protocol decoding itself requires no configuration by the Administrator, understanding that the decoding done by this rule is essential for other DPI rules to function. You may notice that when you assign other DPI rules to protect your web server itself (i.e. Web Server IIS or Web Server Apache rules) that Deep Security will inform you that this rule is a required dependency. This is basically informing you that proper decoding of the HTTP protocol is required for that rule to be able to protect your system. Also, if you are using the Recommendation Engine to assign your DPI rules, you will notice that this rule is recommended on all systems where a web server is detected.

The URI normalization control portion of the HTTP Protocol Decoder is the tricky part that requires the most tuning. The easiest way to understand the URI normalization performed by the DPI engine is to describe the configuration options available in this rule.

This setting instructs the DPI engine to apply the same URI Normalization function that it would on the URI parameters of a GET request, to an HTTP POST body. The default setting for this option is enabled and does not typically cause false positives for most web applications.

This setting instructs the DPI engine to assume that the HTTP POST body is URI form encoded (application/form-urlencoded) in the instance where a Content-Type HTTP header has not been included in the HTTP request. The default setting for this option is enabled and does not typically cause false positives for most web applications.

This setting allows an Administrator to disable URI Normalization on the HTTP POST body for specific URLs.

Percent encoding is used to encode certain reserved characters in a URI. An example of percent encoding is when the reserved character ‘[’ is encoded as %5B. As some IDS/IPS devices had signatures to detect these percent-encoded characters, attackers discovered they could evade detection by double encoding the character. This was done by percent encoding the ‘%’ character, resulting in %25, in addition to the character itself. If you take a look at our previous example of encoding the ‘[’ character, when double-encoded the encoded value becomes %255B. In order to prevent this evasion attempt, Deep Security will block double-encoded data when this option is enable. The default setting for this option is enabled. Some web client browsers and applications will occasionally double-encode legitimate data, causing false positives with your web application. If you see numerous “Double Decoding Exploit” DPI Events in your logs, it could indicate false positives with this setting. You should examine the data portion of the DPI Events to determine if the data looks like an attempt to evade detection or if it is simply a web client that is sending double-encoded data. If the latter is true, you may need to disable this configuration setting for the computer hosting this application.

When percent encoding is used, it is in the form of a percent sign followed by two hex bytes that represent the character. When enabled, this setting will block any data this doesn’t appear to be correctly encoded. For example, if the string %2x is identified in the stream being inspected it would be blocked and an “Invalid Hex Encoding” event would be generated as 2x are not two valid hex bytes. If the web client browser or application intended to send the string %2x it would have been sent properly encoded as %252x. The default setting for this option is enabled and doesn’t typically cause false positives with most web applications.

This setting simply tells Deep Security to log the full packet data information when generating an event due to URI Normalization. For example, with this setting enabled, when double encoding was detected in an HTTP request, Deep Security would log the packet in which this was detected and attach it to the DPI Event for analysis. The default setting for this option is enabled due to the fact that it can be very challenging to investigate potential false positives in URI Normalization with this option disabled. Only when you are confident that you have properly tuned your URI Normalization options for you web application should you disable this setting. The only downside to leaving this option enabled is that there will be a slight increase (1500 bytes maximum) in the amount of space required in the database to log a URI Normalization event.

This setting allows you to choose which encoding type is in use on your web server. The choices are Latin-1 (i.e. %E8) or UTF-8 (i.e. %C3%AD). The default option for this is UTF-8. There is a possibility that your web server will use Latin-1 encoding. If you see many events with the reason “Incomplete UTF8 Sequence” and the encoding type appears to be a valid percent encoding (i.e. %E6) then you should switch your encoding type to be Latin-1 for this Computer or Security Profile.

This is one of the most confusing configuration settings. By default, URI normalization will block all characters that are not percent encoded in the range 0×00-0×20 and 0×7F-0xFF. By enabling this option, you can instruct the DPI engine to allow characters in these ranges. However, in order to actually allow the characters, you need to also check off the next option “Use a custom list of characters disallowed in a URI”.

This setting goes hand in hand with the setting above. In fact, both of these settings must be enabled for this functionality to work as expected. It allows you to specify a custom list of raw characters that will be blocked. The default list of disallowed characters was chosen based on RFC 3986. However, based on experience, there are many web client browsers and applications that do not percent encode some of these characters. If you see many “Illegal Character in URI” events in your DPI events, this could indicate that users of your application may not be percent encoding all of these characters and you will need to enable these options to remove the necessary characters. For example, if you are seeing “Illegal Character in URI” events for 0×20, you will need to enable this configuration setting and modify the list of illegal characters to something like “0×00-0×1F,[,],,|,\,^,`,0×7f-0xff”.

HTTP Protocol Decoding has, by far, the most challenging set of configurable options for any rule within Deep Security. So if you do not plan on using Deep Security to protect your web applications, but require it as a dependency for rules that protect your web server, we recommend that you modify your HTTP Protocol Decoding configuration in this way:

  1. Disable the Use URI Normalization in body of HTTP POST option.
  2. Disable the Block double URI encoded data option.
  3. Enable the Allow raw character range option.
  4. Enable the Use a custom list of characters disallowed in a URI option.
  5. Clear out the list of raw characters not allowed in a URI.

It is important to note that making these changes will reduce the protection provided by the product but only in the area of web application protection. The HTTP protocol will still be decoded properly and other vulnerability and exploit rules specific to your web server will function normally.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1098016
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.