[Snort-users] IDS Evasion with Unicode

Martin Roesch roesch at ...421...
Wed Jan 3 14:38:33 EST 2001


Snort can even miss some of the things that can be done that aren't in the
http preprocessor currently.  It'd be nice if Eric could forward his list of
applicable bytecodes so we can try to get full coverage under the current
implementation.

Additionally, it might be nice to start thinking about doing proper
translation of UTF8 encoding and possibly full blown HTTP application protocol
decoding.  If we did something like this, it'd be the first application
decoder/detection system in Snort, but a good demo of our capability to adapt
Snort's detection system to changing network attack profiles.

One thing Eric didn't really mention in the article (although it'll be well
known to the people who are conversant in IDS technology) is that since Snort
is open source, you can incorporate a detection system of your own design into
the system, which you can't really do with any of the other non-programmable
IDSs.  Additionally, due to the plugin architecture of Snort you can
potentially develop a much more high performance implementaion than you can
with the programmable systems since it doesn't try to protect you from
yourself. :)  (Yes, you're free to break it in any way you see fit...)

Anyway, it's a pretty good article and does a good job of highlighting the
problem us poor IDS programmers face when trying to be all things to all
people.  :)

    -Marty

Joe Stewart wrote:
> 
> On Wed, 03 Jan 2001, you wrote:
> > oh oh. This article in at www.securityfocus.com wasn't any too
> > complementary
> > to snort :-( Now I'm wondering if I'm running anything that's
> > translating
> > unicode that I don't know about. hmmmm. A little knowledge is a scary
> > thing...
> 
> The CVS version of snort has unicode evasion alerting built in to the HTTP
> preprocessor. You will get a few false positives due to the use of non-ascii
> urlencodings in the occasional cookie string, but it will definately catch all
> unicode overlong sequences, without the overhead of true unicode processing.
> 
> -Joe
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list