[Snort-users] Recent IIS exploit rule

Joe Stewart jstewart at ...262...
Fri Oct 27 20:56:26 EDT 2000

On Tue, 24 Oct 2000, you wrote:
> Those rules won't work if you have http_decode running, snort can't see the
> percentage signs ("%")... using the hex escapes don't help one bit, I just
> added them in hopes that a future restructuring of http decoding (perhaps
> even that digs into unicode parsing) 

I suggest adding some code to the http_decode preprocessor that will trigger 
an alert when it detects Unicode overlong byte prefixes, instead of actually 
parsing the Unicode.

Every overlong sequence will begin with one of these six prefixes:
%c0 %c1 %e0 %f0 %f8 %fc

So all it would need to do is check for those values when the url decoding
occurs and trigger an alert. None of the above values have any ASCII 
equivalent, so you should really never see them in a legitimate URL.


Joe Stewart
Information Security Analyst 
LURHQ Corporation
843-347-1075 ext. 303
jstewart at ...262...

More information about the Snort-users mailing list