[Snort-users] IDS Evasion with Unicode

Eric Hacker hacker at ...251...
Fri Jan 5 09:53:50 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marty and everyone,

I'm wicked behind on reading this list, and I haven't even read this
thread. Give me the weekend to catch up. Meanwhile here is what I'm
sending out as far as the codes. PGP signature is from my work
address, but I'm sending from the address I'm subscribed to the list
as.

Hello,

Attached is the code list. I'm not sure why it could not be hosted at
SecurityFocus, but given the time constraints when I was informed it
couldn't, this seemed like a reasonable solution. I did not choose
this method of delivery for any reason other than expediency.

It actually is a pain, because I refuse, on principle, to write a
rule that will automatically send out an attachment. I also have
publicly stated that messages with attachments should be PGP signed
and I'm certainly not going to automate that. Perhaps I should
refuse, on principle, to use Outlook, but that's a different story.
;-)

This is a list of codes that I believe create an IDS evasion a
problem for IIS. Some are well known and are merely included for
completeness. This list, however, is not to be taken as complete. I
merely brute-forced through the entire UTF-8 character space and
parsed the logs for single byte interpretations. I did not try any
multi-code point Unicode characters. I very likely made a mistake or
two.

The first column is the character as IIS interpreted it. The second
column is the UTF-8 hex submitted. The third column is the Unicode
code point of the interpreted character. The forth column is the
Unicode code point of the submitted character. This is a tab
delimited file to facilitate automated parsing.

I hope you find it educational. I have not tried to study the data
for any patterns that might aid IDS detection. If you find anything
useful, please let me know.

Eric Hacker, CISSP, GCIA, MCSE, CCSE
Network Security Consultant
Lucent Worldwide Services
"Long gone are the days when one's surname referred to the role
one had in the community."
PGP Key available from pgpkeys.mit.edu.


- -----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Martin
Roesch
Sent: Wednesday, January 03, 2001 2:39 PM
To: Joe Stewart
Cc: snort-users at lists.sourceforge.net; ehacker at ...389...
Subject: Re: [Snort-users] IDS Evasion with Unicode


Snort can even miss some of the things that can be done that aren't
in the
http preprocessor currently.  It'd be nice if Eric could forward his
list of
applicable bytecodes so we can try to get full coverage under the
current
implementation.

Additionally, it might be nice to start thinking about doing proper
translation of UTF8 encoding and possibly full blown HTTP application
protocol
decoding.  If we did something like this, it'd be the first
application
decoder/detection system in Snort, but a good demo of our capability
to adapt
Snort's detection system to changing network attack profiles.

One thing Eric didn't really mention in the article (although it'll
be well
known to the people who are conversant in IDS technology) is that
since Snort
is open source, you can incorporate a detection system of your own
design into
the system, which you can't really do with any of the other
non-programmable
IDSs.  Additionally, due to the plugin architecture of Snort you can
potentially develop a much more high performance implementaion than
you can
with the programmable systems since it doesn't try to protect you
from
yourself. :)  (Yes, you're free to break it in any way you see
fit...)

Anyway, it's a pretty good article and does a good job of
highlighting the
problem us poor IDS programmers face when trying to be all things to
all
people.  :)

    -Marty

Joe Stewart wrote:
> 
> On Wed, 03 Jan 2001, you wrote:
> > oh oh. This article in at www.securityfocus.com wasn't any too
> > complementary
> > to snort :-( Now I'm wondering if I'm running anything that's
> > translating
> > unicode that I don't know about. hmmmm. A little knowledge is a
> > scary thing...
> 
> The CVS version of snort has unicode evasion alerting built in to
> the HTTP preprocessor. You will get a few false positives due to
> the use of non-ascii urlencodings in the occasional cookie string,
> but it will definately catch all unicode overlong sequences,
> without the overhead of true unicode processing.  
> 
> -Joe
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

- -- 
Martin Roesch
roesch at ...421...
http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/mailman/listinfo/snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOlXf/Xhkk6EiK+DHEQIlsQCfS3SSoap6z/pBgx4etlBiVKpQMXEAoIOp
uep+/WnUFC1otip2Ac4bVj4k
=dPOU
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: UTF8 Translations values.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010105/8f7f2e4d/attachment.txt>


More information about the Snort-users mailing list