Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"Illegal character in URI" appears in Deep Security

    • Updated:
    • 25 May 2018
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 11.0
    • Deep Security 9.6
    • Platform:
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 4 64-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Linux - SuSE 10
    • Linux - SuSE 11
    • Ubuntu 10.04 32-bit
    • Ubuntu 10.04 64-bit
    • Ubuntu 10.1 32-bit
    • Ubuntu 10.1 64-bit
    • Ubuntu 11.04 32-bit
    • Ubuntu 11.04 64-bit
    • Ubuntu 12.04 64-bit
    • Ubuntu 9.1 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

The event "Illegal Character in URI" appears in the Deep Security logs.

Details
Public

This issue is typically caused by the following:

  • The DPI rule 1008646 - Detect Illegal Characters In URI is enabled.

    1008646 - Detect Illegal Characters In URI

    The protected server is a web server which receives URLs that are violating the rules. With default configuration, this DPI rule will not trigger "Illegal Character in URI".

  • Raw character list is empty in default configuration. User can add the raw characters which are not expected in the protected web server URLS.

    Raw character list is empty

If user has configured raw characters in Specify raw characters that are not allowed in the URI text box, and many DPI events "Illegal Character In URI" appear, follow the procedure below to exclude the raw characters. In most instances, the rules can be modified to prevent the event from appearing.

 

If you are using Deep Security version 8.0 or lower, refer to this KB article for the procedure: Troubleshooting the "Illegal Character in URI" error in Deep Security.

To resolve the issue:

  1. Open the Deep Security Manager console.
  2. Open the IP logs showing the error.
  3. Locate the Payload data.

    The character before the red character is the one that triggered the rule. In the example below, the trigger is the 0xF6 hexadecimal character.

    locate payload data

  1. Open the Deep Security Manager console.
  2. Determine if you will apply the rule to one computer or to a specific security profile, and then do one of the following:
    • To apply the rule to a specific computer:
      1. Open the computer details.
      2. Go to the Intrusion Prevention section in the left-hand panel and then click the Assign/Unassign button.
      3. Double-click the 1008646 - Detect Illegal Characters In URI rule.
    • To apply the rule to a security profile:
      1. Go to Policies tab > Policies.
      2. Right-click the security profile, and then click Details.
      3. Go to the Intrusion Prevention section in the left-hand panel and then click the Assign/Unassign button.
      4. Double-click the 1008646 - Detect Illegal Characters In URI rule.
  3. Go to the Configuration tab and then untick Inherit. This will allow you to configure the rule from the security profile.
  4. Apply the correct changes. In this case, we will allow "0xf6" by removing it from the Specify raw characters that are not allowed in the URI text box.

    Specify raw characters that are not allowed in the URI

  5. Click Save

There are two levels in verifying if the Agent has the configuration.

  1. Verify on the computer level.
    1. Open the Deep Security console.
    2. Go to the Computers tab.
    3. Right-click the computer that has the issue and then click Details.
    4. Go to the Intrusion Prevention section in the left-hand panel and click the Assign/Unassign button.
    5. Double-click the 1008646 - Detect Illegal Characters In URI rule.
    6. Go to the Configuration tab.
    7. Verify if the changes in settings were applied on the computer level. If the new settings were not deployed, you may need to apply the settings directly on the computer level.
  2. Verify on the security profile.
    1. Open the Deep Security console.
    2. Go to Policies tab > Policies.
    3. Open the security profile applied to the computer.
    4. Go to the Intrusion Prevention section in the left-hand panel and click the Assign/Unassign button.
    5. Double-click the 1008646 - Detect Illegal Characters In URI rule.
    6. Go to the Configuration tab to see the configured changes in the security profile.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1098570
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.