[Snort-users] IDS Evasion with Unicode

Joe Stewart jstewart at ...262...
Wed Jan 3 13:35:58 EST 2001


On Wed, 03 Jan 2001, you wrote:
> oh oh. This article in at www.securityfocus.com wasn't any too
> complementary
> to snort :-( Now I'm wondering if I'm running anything that's
> translating
> unicode that I don't know about. hmmmm. A little knowledge is a scary
> thing...

The CVS version of snort has unicode evasion alerting built in to the HTTP
preprocessor. You will get a few false positives due to the use of non-ascii
urlencodings in the occasional cookie string, but it will definately catch all
unicode overlong sequences, without the overhead of true unicode processing.

-Joe




More information about the Snort-users mailing list