[Snort-users] IDS Evasion with Unicode

Joe Stewart jstewart at ...262...
Wed Jan 3 16:08:45 EST 2001


On Wed, 03 Jan 2001, Martin Roesch wrote:
> Snort can even miss some of the things that can be done that aren't in the
> http preprocessor currently.  It'd be nice if Eric could forward his list
> of applicable bytecodes so we can try to get full coverage under the
> current implementation.

Yes, I see now the bit about IIS interpreting raw unicode bytes. That's bad.


> Additionally, it might be nice to start thinking about doing proper
> translation of UTF8 encoding and possibly full blown HTTP application
> protocol decoding.  If we did something like this, it'd be the first
> application decoder/detection system in Snort, but a good demo of our
> capability to adapt Snort's detection system to changing network attack
> profiles.

Actually I think moving to even partial HTTP application protocol decoding 
could go a long way towards fixing the problem without needing to do UTF8 
decoding. We can then focus the search for the telltale unicode bytes to just 
the sections that are applicable.

-Joe




More information about the Snort-users mailing list