Examining your network traffic with forensic analysis
238 GigaStor (23 Feb 2018) — Archive/Non-authoritative version
Field
Description
packet sizes for stream reassembly. Running the analysis with
a different seed value can catch signature matches that would
otherwise escape detection.
Port List—Enabling the Port List option limits analysis to (or
excludes from analysis) the given port numbers.
HTTP URI
Normalization
Many HTTP-based attacks attempt to evade detection by
encoding URI strings in UTF-8 or Microsoft
%u
notation for
specifying Unicode characters. This preprocessor includes
options to circumvent the most common evasion techniques.
To match patterns against the normalized URIs rather than the
unconverted strings captured from the wire, the VRT Rules use
the uricontent option, which depends on this preprocessor.
Without normalization, you would have to include signatures
for the pattern in all possible formats (using the content option),
rather than in one canonical version.
Log preprocessor events—Checking this box causes forensic
analysis to save any alerts generated by the HTTP preprocessor
to the log, but not the Forensic Summary Window.
Maximum directory segment size—Specifies the maximum
length of a directory segment (i.e., the number of characters
allowed between slashes). If a URI directory is larger than this,
an alert is generated. 200 characters is reasonable cutoff point
to start with. This should limit the alerts to IDS evasions.
Unicode Code Page—Specify the appropriate country code page
for the traffic being monitored.
Normalize ASCII percent encodings—This option must be
enabled for the rest of the options to work. The second check
box allows you to enable logging when such encoding is
encountered during preprocessing. Because such encoding
is considered standard, logging occurrences of this is not
recommended.
HTTP URI
Normalization
(Continued)
Normalize percent-U encodings—Convert Microsoft-style %u-
encoded characters to standard format. The second check
box allows you to enable logging when such encoding is
encountered during preprocessing. Because such encoding is
considered non-standard (and a common hacker trick), logging
occurrences of this is recommended.
Normalize UTF-8 encodings—Convert UTF-8 encoded characters
to standard format. The second check box allows you to
enable logging when such encoding is encountered during
preprocessing. Because Apache uses this standard, enable this
option when monitoring Apache servers. Although you might be
interested in logging UTF-8 encoded URIs, doing so can result in
a lot of noise because this type of encoding is common.
Lookup Unicode in code page—Enables Unicode codepoint
mapping during pre-processing to handle non-ASCII codepoints
that the IIS server accepts.
Normalize double encodings— This option mimics IIS behavior
that intruders can use to launch insertion attacks. Normalize
bare binary non ASCII encodings—This an IIS feature that uses
non-ASCII characters as valid values when decoding UTF-8
values. As this is non-standard, logging this type of encoding is
recommended.
Summary of Contents for Apex Enterprise G3-APEX-ENT-32T
Page 1: ...Observer GigaStor 17 2 0 0 User Guide 23 Feb 2018 ...
Page 85: ...GS 2P40 288T Chapter 1 Appliance installation 85 Figure 55 GS 2P40 288T Front ...
Page 93: ...GS 8P 576T Chapter 1 Appliance installation 93 Figure 59 GS 8P 576T Front ...
Page 100: ...GS 8P 288T 100 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 101: ...GS 8P 288T Chapter 1 Appliance installation 101 ...
Page 102: ...GS 8P 288T 102 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 103: ...GS 8P 288T Chapter 1 Appliance installation 103 ...
Page 104: ...GS 8P 288T 104 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 105: ...GS 8P 288T Chapter 1 Appliance installation 105 ...
Page 106: ...GS 8P 288T 106 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 107: ...GS 8P 288T Chapter 1 Appliance installation 107 ...
Page 108: ...GS 8P 288T 108 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 109: ...GS 8P 288T Chapter 1 Appliance installation 109 ...
Page 110: ...GS 8P 288T 110 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 111: ...GS 8P 288T Chapter 1 Appliance installation 111 Figure 64 GS 8P 288T Rear ...
Page 112: ...GS 8P 288T 112 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 113: ...GS 8P 288T Chapter 1 Appliance installation 113 ...
Page 114: ...GS 8P 288T 114 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 115: ...GS 8P 288T Chapter 1 Appliance installation 115 ...
Page 116: ...GS 8P 288T 116 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 117: ...GS 8P 288T Chapter 1 Appliance installation 117 ...
Page 118: ...GS 8P 288T 118 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 119: ...GS 8P 288T Chapter 1 Appliance installation 119 ...
Page 120: ...GS 8P 288T 120 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 125: ...GS 8P 288T Chapter 1 Appliance installation 125 ...
Page 126: ...GS 8P 288T 126 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 127: ...GS 8P 288T Chapter 1 Appliance installation 127 ...
Page 128: ...GS 8P 288T 128 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 129: ...GS 8P 288T Chapter 1 Appliance installation 129 ...
Page 130: ...GS 8P 288T 130 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 131: ...GS 8P 288T Chapter 1 Appliance installation 131 ...
Page 132: ...GS 8P 288T 132 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 133: ...GS 8P 288T Chapter 1 Appliance installation 133 ...
Page 137: ...GS 8P 192T Chapter 1 Appliance installation 137 Figure 67 GS 8P 192T Front ...