The http_encode Keyword
You can use the
http_encode keyword
to generate events on the type of encoding in an HTTP request or response
before normalization, either in the HTTP URI, in non-cookie data in an HTTP
header, in cookies in HTTP requests headers, or set-cookie data in HTTP
responses.
You must configure the HTTP Inspect preprocessor to inspect HTTP
responses and HTTP cookies to return matches for rules using the
http_encode keyword.
Also, you must enable both the decoding and alerting option for
each specific encoding type in your HTTP Inspect preprocessor configuration so
the
http_encode keyword
in an intrusion rule can trigger events on that encoding type.
The following table describes the encoding types this option can generate events for in HTTP URIs, headers, cookies, and set-cookies:
|
Encoding Type |
Description |
|---|---|
|
utf8 |
Detects UTF-8 encoding in the specified location when this encoding type is enabled for decoding by the HTTP Inspect preprocessor. |
|
double_encode |
Detects double encoding in the specified location when this encoding type is enabled for decoding by the HTTP Inspect preprocessor. |
|
non_ascii |
Detects non-ASCII characters in the specified location when non-ASCII characters are detected but the detected encoding type is not enabled. |
|
uencode |
Detects Microsoft %u encoding in the specified location when this encoding type is enabled for decoding by the HTTP Inspect preprocessor. |
|
bare_byte |
Detects bare byte encoding in the specified location when this encoding type is enabled for decoding by the HTTP Inspect preprocessor. |