Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
304
About Anti-Evasive Measures
Anti-evasive measures are applied to input identified by the selected variables before the input is matched
against the specified value. For instance, the
String Length
measure is used to compute the length of the
matched input and use it for comparison. Some of the anti-evasive measures are used to thwart attempts by
hackers to encode inputs to bypass Web Application Firewall rules. You can click on an anti-evasive measure in
the list to read more information on it in the
Tips/Help
sidebar.
The anti-evasive measures can be used in conjunction with regular operators. There are ten measures to choose
from in the
Anti-Evasive Measures
field, including the
None
measure which leaves the input alone.
Multiple anti-evasive measures can be selected together and individually enforced. You can select multiple
measures by holding the
Ctrl
key while clicking an additional measure. When the
None
measure is selected
along with other measures in your rule, the input is compared as is and also compared after decoding it or
converting it with another measure.
describes the anti-evasive measures available for use with rules.
Table 36. Anti-Evasive Measures for Rules
Measure
Description
None
Use the
None
measure when you want to compare the scanned input to the
configured variable(s) and value(s) without changing the input.
String Length
Use the
String Length
measure when the selected variable is a string and you want
to compute the length of the string before applying the selected operator.
Convert to Lowercase
Use the
Convert to Lowercase
measure when you want to make case-insensitive
comparisons by converting the input to all lowercase before the comparison. When
you use this measure, make sure that strings entered in the
Value
field are all in
lowercase.
This is an anti-evasive measure to prevent hackers from changing case to bypass the
rule.
Normalize URI Path
Use the
Normalize URI Path
measure to remove invalid references, such as back-
references (except at the beginning of the URI), consecutive slashes, and self-
references in the URI. For example, the URI
www.eshop.com/././//login.aspx
is
converted to
www.eshop.com/login.aspx
.
This is an anti-evasive measure to prevent hackers from adding invalid references in
the URI to bypass the rule.
Remove Spaces
Use the
Remove Spaces
measure to remove spaces within strings in the input before
the comparison. Extra spaces can cause a rule to not match the input, but are
interpreted by the backend Web application.
This is an anti-evasive measure to prevent hackers from adding spaces within strings
to bypass the rule.
Base64 Decode
Use the
Base64 Decode
measure to decode base64 encoded data before the
comparison is made according to the rule.
Some applications encode binary data in a manner convenient for inclusion in URLs
and in form fields. Base64 encoding is done to this type of data to keep the data
compact. The backend application decodes the data.
This is an anti-evasive measure to prevent hackers from using base64 encoding of
their input to bypass the rule.
Hexadecimal Decode
Use the
Hexadecimal Decode
measure to decode hexadecimal encoded data before
the comparison is made according to the rule.
This is an anti-evasive measure to prevent hackers from using hexadecimal encoding
of their input to bypass the rule.