[Snort-users] IDS Evasion with Unicode

Joe Stewart jstewart at ...262...
Wed Jan 3 16:08:45 EST 2001

On Wed, 03 Jan 2001, Martin Roesch wrote:
> Snort can even miss some of the things that can be done that aren't in the
> http preprocessor currently.  It'd be nice if Eric could forward his list
> of applicable bytecodes so we can try to get full coverage under the
> current implementation.

Yes, I see now the bit about IIS interpreting raw unicode bytes. That's bad.

> Additionally, it might be nice to start thinking about doing proper
> translation of UTF8 encoding and possibly full blown HTTP application
> protocol decoding.  If we did something like this, it'd be the first
> application decoder/detection system in Snort, but a good demo of our
> capability to adapt Snort's detection system to changing network attack
> profiles.

Actually I think moving to even partial HTTP application protocol decoding 
could go a long way towards fixing the problem without needing to do UTF8 
decoding. We can then focus the search for the telltale unicode bytes to just 
the sections that are applicable.


More information about the Snort-users mailing list