[Snort-users] IDS Evasion with Unicode

Eric Hacker hacker at ...251...
Fri Jan 5 09:53:50 EST 2001

Hash: SHA1

Marty and everyone,

I'm wicked behind on reading this list, and I haven't even read this
thread. Give me the weekend to catch up. Meanwhile here is what I'm
sending out as far as the codes. PGP signature is from my work
address, but I'm sending from the address I'm subscribed to the list


Attached is the code list. I'm not sure why it could not be hosted at
SecurityFocus, but given the time constraints when I was informed it
couldn't, this seemed like a reasonable solution. I did not choose
this method of delivery for any reason other than expediency.

It actually is a pain, because I refuse, on principle, to write a
rule that will automatically send out an attachment. I also have
publicly stated that messages with attachments should be PGP signed
and I'm certainly not going to automate that. Perhaps I should
refuse, on principle, to use Outlook, but that's a different story.

This is a list of codes that I believe create an IDS evasion a
problem for IIS. Some are well known and are merely included for
completeness. This list, however, is not to be taken as complete. I
merely brute-forced through the entire UTF-8 character space and
parsed the logs for single byte interpretations. I did not try any
multi-code point Unicode characters. I very likely made a mistake or

The first column is the character as IIS interpreted it. The second
column is the UTF-8 hex submitted. The third column is the Unicode
code point of the interpreted character. The forth column is the
Unicode code point of the submitted character. This is a tab
delimited file to facilitate automated parsing.

I hope you find it educational. I have not tried to study the data
for any patterns that might aid IDS detection. If you find anything
useful, please let me know.

Network Security Consultant
Lucent Worldwide Services
"Long gone are the days when one's surname referred to the role
one had in the community."
PGP Key available from pgpkeys.mit.edu.

- -----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Martin
Sent: Wednesday, January 03, 2001 2:39 PM
To: Joe Stewart
Cc: snort-users at lists.sourceforge.net; ehacker at ...389...
Subject: Re: [Snort-users] IDS Evasion with Unicode

Snort can even miss some of the things that can be done that aren't
in the
http preprocessor currently.  It'd be nice if Eric could forward his
list of
applicable bytecodes so we can try to get full coverage under the

Additionally, it might be nice to start thinking about doing proper
translation of UTF8 encoding and possibly full blown HTTP application
decoding.  If we did something like this, it'd be the first
decoder/detection system in Snort, but a good demo of our capability
to adapt
Snort's detection system to changing network attack profiles.

One thing Eric didn't really mention in the article (although it'll
be well
known to the people who are conversant in IDS technology) is that
since Snort
is open source, you can incorporate a detection system of your own
design into
the system, which you can't really do with any of the other
IDSs.  Additionally, due to the plugin architecture of Snort you can
potentially develop a much more high performance implementaion than
you can
with the programmable systems since it doesn't try to protect you
yourself. :)  (Yes, you're free to break it in any way you see

Anyway, it's a pretty good article and does a good job of
highlighting the
problem us poor IDS programmers face when trying to be all things to
people.  :)


Joe Stewart wrote:
> On Wed, 03 Jan 2001, you wrote:
> > oh oh. This article in at www.securityfocus.com wasn't any too
> > complementary
> > to snort :-( Now I'm wondering if I'm running anything that's
> > translating
> > unicode that I don't know about. hmmmm. A little knowledge is a
> > scary thing...
> The CVS version of snort has unicode evasion alerting built in to
> the HTTP preprocessor. You will get a few false positives due to
> the use of non-ascii urlencodings in the occasional cookie string,
> but it will definately catch all unicode overlong sequences,
> without the overhead of true unicode processing.  
> -Joe
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

- -- 
Martin Roesch
roesch at ...421...

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: UTF8 Translations values.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010105/8f7f2e4d/attachment.txt>

More information about the Snort-users mailing list