Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"Illegal character in URI" appears in Deep Security

    • Updated:
    • 4 Nov 2015
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 4 64-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Linux - SuSE 10
    • Linux - SuSE 11
    • Ubuntu 10.04 32-bit
    • Ubuntu 10.04 64-bit
    • Ubuntu 10.1 32-bit
    • Ubuntu 10.1 64-bit
    • Ubuntu 11.04 32-bit
    • Ubuntu 11.04 64-bit
    • Ubuntu 12.04 64-bit
    • Ubuntu 9.1 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

The error "Illegal Character in URI" appears in the Deep Security logs.

Details
Public

This issue is typically caused by the following:

  • The DPI rule 1000128 - HTTP Protocol Decoding is enabled.

    Enable DPI rule 1000128 - HTTP Decoding

  • The protected server is a web server which receives URLs that are violating the rules.

In most instances, the rules can be modified so that "Illegal Character in URI" will stop appearing.

 

If you are using Deep Security version 8.0 or lower, refer to this KB article for the procedure: Troubleshooting the "Illegal Character in URI" error in Deep Security.

To resolve the issue:

  1. Open the Deep Security Manager (DSM) console.
  2. Open the IP logs showing the error.
  3. Locate the Payload data.

    The character before the red character is the one that triggered the rule. In the example below, the trigger is the 0xF6 hexadecimal character.

    locate payload data

  1. Open the DSM console.
  2. Determine if you will apply the rule to one computer or to a specific security profile, and then do one of the following:
    • To apply the rule to a specific computer:
      1. Open the computer details. 
      2. Go to the Intrusion Prevention section in the left-hand panel and then click the Assign/Unassign button.

      3. Double-click the 1000128 – HTTP Decoding rule.
    • To apply the rule to a security profile:
      1. Go to Policies tab > Policies.
      2. Right-click the security profile, and then click Details.
      3. Go to the Intrusion Prevention section in the left-hand panel and then click the Assign/Unassign button.
      4. Double-click the 1000128 – HTTP Decoding rule.
  3. Go to the Configuration tab and then untick Inherit. This will allow you to configure the rule from the security profile.
  4. Apply the correct changes.  In this case, we will allow “0xf6” by doing either of the following:
    • Select the Allow raw character range 0x0-0x20 and 0x7f-0xFF in a URI checkbox.
    • Select the Use a custom list of characters disallowed in a URI, and then remove “0xf6” from the Specify all raw characters that are not allowed in a URI text box. 

      specify all raw characters that are not allowed in a URI

  5. Click Save

There are two levels in verifying if the Agent has the configuration.

  1. Verify on the computer level.
    1. Open the Deep Security console.
    2. Go to the Computers tab.
    3. Right-click the computer that has the issue and then click Details.
    4. Go to the Intrusion Prevention section in the left-hand panel and click the Assign/Unassign button.

    5. Double-click the 1000128 – HTTP Decoding rule.
    6. Go to the Configuration tab.
    7. Verify if the changes in settings were applied on the computer level.  If the new settings were not deployed, you may need to apply the settings directly on the computer level.
  2. Verify on the security profile.
    1. Open the Deep Security console.
    2. Go to Policies Tab > Policies.
    3. Open the security profile applied to the computer.
    4. Go to the Intrusion Prevention section in the left-hand panel and click the Assign/Unassign button.
    5. Double-click the 1000128 – HTTP Decoding rule.
    6. Go to the Configuration tab to see the configured changes in the security profile.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1098570
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.