[Snort-users] IDS Evasion with Unicode
jstewart at ...262...
Wed Jan 3 16:08:45 EST 2001
On Wed, 03 Jan 2001, Martin Roesch wrote:
> Snort can even miss some of the things that can be done that aren't in the
> http preprocessor currently. It'd be nice if Eric could forward his list
> of applicable bytecodes so we can try to get full coverage under the
> current implementation.
Yes, I see now the bit about IIS interpreting raw unicode bytes. That's bad.
> Additionally, it might be nice to start thinking about doing proper
> translation of UTF8 encoding and possibly full blown HTTP application
> protocol decoding. If we did something like this, it'd be the first
> application decoder/detection system in Snort, but a good demo of our
> capability to adapt Snort's detection system to changing network attack
Actually I think moving to even partial HTTP application protocol decoding
could go a long way towards fixing the problem without needing to do UTF8
decoding. We can then focus the search for the telltale unicode bytes to just
the sections that are applicable.
More information about the Snort-users