Evasion Techniques Blocking

Heya,

 

 

 

I will attempt to answer what I can of your questions below. =]

 

 

1) What is the reasoning for the default to be set at 2 decoding passes?

 

 

a) I suspect the default decoding passes were set low because true multiple encoding passes are rarely found in normal User-Agent traffic.

 

 

2) What decoding level do other ASM users have set (or do they even utilize this blocking function)?

 

 

b) I can only speculate as to this. Most commonly I have encountered this set at the default value and only occasionally 3.

 

 

 

3)What risk would we be running if we were to increase this level in order to allow the genuine connections through?

 

 

c) The Multiple Encoding technique describes encoding your encoding characters. A single URL encoding of the quote character is %22. A "Double encoding" of this would appear as %25%32%32, and would generally be used to bypass or "evade" patterns that match ASCII values. Just disabling this violation or increasing its value would not necessarily put you at risk - it would simply mean the ASM would not generate violations when characters required multiple passes to decode. Since the ASM should decode the traffic as many times as necessary to get ASCII values, you should still have all the protection of the rest of your policy (Signatures, Illegal Meta-Characters, et cetera) in place to catch truly malicious traffic.

 

 

 

Hope this helps! =]

 

 

Cheers,

 

 

// Ben