Imperva Cyber Community

Dear Team,

Hope all doing good!

In Securesphere WAF logs has been analyzed has "illegal byte code" for below request. Either this request due to WAF non-readable format or any other reason.

Sample Logs:
[[#22]][[#3]][[#3]][[#0]]Ñ[[#1]][[#0]][[#0]]Í[[#3]][[#3]]b—Sí¡[[#18]][[#26]]äV®{1·b%>!¨[[#21]]í#îmÿxî[[#1]]hý?[[#0]][[#0]]d[[#0]]ÿÀ$À([[#0]]=À&À*[[#0]]k[[#0]]jÀ   

• À[[#20]][[#0]]5À[[#5]]À[[#15]][[#0]]9[[#0]]8À#À'[[#0]]<À%À)[[#0]]g[[#0]]@À À[[#19]][[#0]]/À[[#4]]À[[#14]][[#0]]3[[#0]]2À,À+À0[[#0]]À.À2[[#0]]£[[#0]]ŸÀ/[[#0]]œÀ-À1[[#0]]ž[[#0]]¢À[[#8]]À[[#18]][[#0]]: 
• À[[#3]]À [[#0]][[#22]][[#0]][[#19]][[#1]][[#0]][[#0]]@[[#0]]: 
• [[#0]][[#24]][[#0]][[#22]][[#0]][[#23]][[#0]][[#19]][[#0]][[#21]][[#0]][[#24]][[#0]][[#25]][[#0]][[#15]][[#0]][[#16]][[#0]][[#17]][[#0]][[#18]][[#0]][[#20]][[#0]][[#22]][[#0]][[#11]][[#0]][[#2]][[#1]][[#0]][[#0]] [[#0]][[#26]][[#0]][[#24]][[#6]][[#3]][[#6]][[#1]][[#5]][[#3]][[#5]][[#1]][[#4]][[#3]][[#4]][[#1]][[#3]][[#3]][[#3]][[#1]][[#2]][[#3]][[#2]][[#1]][[#4]][[#2]][[#2]][[#2]][[#21]][[#3]][[#3]][[#0]][[#2]][[#2]]: 

#On-PremisesWAF(formerlySecuresphere)

------------------------------
Jagadesh Kumar R
Inormation Security Group, Assistant Manager
Karur
------------------------------

Hi Jagadesh,

In my experience, although it could be part of attack or malicious attempt - I usually see this alert triggered often when the WAF is monitoring an SSL VPN, or some type of remote session streaming. (like RDP).

Hi Jaired,

I have analyzed one more point, in this traffic "decoded: false" what will be the reason we have getting this,

Alert Name:
Illegal Byte Code Character in Header Name

------------------------------
Jagadesh Kumar R
Inormation Security Group, Assistant Manager
Karur
------------------------------

Original Message:
Sent: 06-02-2022 09:15
From: Jaired Anderson
Subject: Illegal Byte Code Alerts

Hi Jagadesh,

In my experience, although it could be part of attack or malicious attempt - I usually see this alert triggered often when the WAF is monitoring an SSL VPN, or some type of remote session streaming. (like RDP).