[Snort-users] UTF-8 and Unicode packet content under snort 1.8.7

John Sage jsage at ...2022...
Sat Aug 17 09:22:03 EDT 2002


Hello world..

I'm currently involved in a discussion on another list where the
poster is stating that a Linux-based snort host, not updated to
properly handle UTF-8/Unicode encodings, will not correctly represent
binary-logged packet content that contains UTF-8/Unicode characters.

The specific issue is the representation of IIS/Unicode directory
traversal exploits.

I'm seeing, for example (which may not be the best example..):

<snip>
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
 G  E  T     /  s  c  r  i  p  t  s  /  .  .  %

32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65  2f../winnt/syste
 2  f  .  .  /  w  i  n  n  t  /  s  y  s  t  e
<snip>

<snip>
47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 35 63  GET /msadc/..%5c
 G  E  T     /  m  s  a  d  c  .  .  .  %  5  c

2E 2E 2F 2E 2E 25 35 63 2E 2E 2F 2E 2E 25 35 63  ../..%5c../..%5c
 .  .  /  .  .  %  5  c  .  .  /  .  .  /  5  c

2F 2E 2E 35 35 2E 2E 2F 2E 2E 63 31 2E 2E 2F 2E  /..55../..c1../.
 /  .  .  5  5  .  .  /  .  .  c  1  .  .  /  .
<snip>

and the other poster is saying that this is misrepresented,
particularly the %5c.

To quote him:

<snip>
"...Yes - or at least inappropriately for comparison with attack signatures of
IIS Unicode directory traversal attempts on the Web. I believe that there is
some sort of inappropriate translation on the way from the binary packet
capture to the logs..."
<snip>
"...I have not figured out how %c0%af (a standard "overly long" encoding Unicode
attack) eventually gets translated to %c on your system and others. I think
I'd have to start at a binary level and get a stronger grasp of Unicode
encoding options to provide a transformation. It is an exact match though
for Bill McCarty's %c0%af capture that was altered in his email to %c..."
<snip>


I'm saying hex is hex...

What think ye?

I'm running snort 1.8.7 on a 2.2.14 kernel firewall box..


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list