Understanding HTTP Evasion Detection Signatures

by rcole on ‎06-08-2016 02:50 PM - edited on ‎04-05-2018 11:42 PM by spiromruen (19,196 Views)

One tactic leveraged on a network to evade detection by security appliances is to obfuscate or obscure HTTP communications in a way that the receiving user agent is capable of interpreting the data, but formatting this traffic in a way that appliances inspecting the traffic may not be able to interpret correctly. This is commonly referred to as an "evasion" tactic.


Different HTTP client implementations behave differently, and many times do not conform to standards (RFC) which can be leveraged to bypass decoders and scanning engines which use their own respective implementations. PAN-OS deals with this in two ways: If the decoder cannot decode the traffic as http, the application will be set to “unknown-tcp” or any other application that might be detected instead. Additionally, protection against HTTP evasion is implemented using vulnerability signatures such as:

• Suspicious Abnormal HTTP Response Found (38304, 38358, 38307, 38476, 38305, 38310, 38841, 38742, 38302, 38870, 38767, 38840, 39041, 38824, 38920, 38303, 38839, 38741)

• HTTP Non RFC-Compliant Response Found (32880)

• Suspicious HTTP Evasion Found (39004, 39022, 38306, 38919, 38635)

• HTTP Request Pipeline Evasion Found (36767)

• HTTP Request Line Separator Evasion (36398, 36422)


• HTTP various charset encoding html response evasion (33125)

• HTTP utf-7 charset encoding html response evasion (33126)

Non-compliant servers and web applications can serve malformed but non-malicious responses, and to accommodate this, vulnerability profiles can be fine-tuned using exceptions. This would not have been possible if the decoder was enforcing standards compliance system wide. As with security as a whole, this comes down to network administrators balancing the risk of malicious content being allowed against legitimate content being denied, and security vendors providing signatures to protect against evasion techniques developed in the wild.
PAN threat research teams are constantly watching for these and other threats, and we value any information with context coming from our valued customers to help address missed evasions.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community