Network Instruments GigaStor 114ff User Manual

Page 104

background image

Forensic Analysis Profile field descriptions
Chapter 6 Forensic Analysis using Snort

104

rev. 1

HTTP URI
Normalization
(Continued)

Q

Normalize percent-U encodings—Convert Microsoft-style %u-encoded
characters to standard format. The second check box allows you to enable
logging when such encoding is encountered during preprocessing. Because
such encoding is considered non-standard (and a common hacker trick), logging
occurrences of this is recommended.

Q

Normalize UTF-8 encodings—Convert UTF-8 encoded characters to standard
format. The second check box allows you to enable logging when such
encoding is encountered during preprocessing. Because Apache uses this
standard, enable this option when monitoring Apache servers. Although you
might be interested in logging UTF-8 encoded URIs, doing so can result in a lot
of noise because this type of encoding is common.

Q

Lookup Unicode in code page—Enables Unicode codepoint mapping during
pre-processing to handle non-ASCII codepoints that the IIS server accepts.

Q

Normalize double encodings— This option mimics IIS behavior that intruders
can use to launch insertion attacks. Normalize bare binary non ASCII
encodings—This an IIS feature that uses non-ASCII characters as valid values
when decoding UTF-8 values. As this is non-standard, logging this type of
encoding is recommended.

Q

Normalize directory traversal—Directory traversal attacks attempt to access
unauthorized directories and commands on a web server or application by using
the /./ and /../ syntax. This preprocessor removes directory traversals and self-
referential directories. You may want to disable logging for occurrences of this,
as many web pages and applications use directory traversals to reference
content.

Q

Normalize multiple slashes to one—Another directory traversal strategy is to
attempt to confuse the web server with excessive multiple slashes.

Q

Normalize Backslash—This option emulates IIS treatment of backslashes (i.e.,
converts them to forward slashes).

Table 8 Forensic Analysis Profile Settings tab (Continued)

Field

Description

See also other documents in the category Network Instruments Hardware: