[Snort-users] UTF-8 and Unicode packet content under snort 1.8.7
jsage at ...2022...
Sat Aug 17 10:33:02 EDT 2002
/* loves replying to his own posts */
And in fact, locale -m on my firewall host returns:
So, is this [below..] a non-issue for snort 1.8.7?
On Sat, Aug 17, 2002 at 09:21:11AM -0700, John Sage wrote:
> Hello world..
> I'm currently involved in a discussion on another list where the
> poster is stating that a Linux-based snort host, not updated to
> properly handle UTF-8/Unicode encodings, will not correctly represent
> binary-logged packet content that contains UTF-8/Unicode characters.
> The specific issue is the representation of IIS/Unicode directory
> traversal exploits.
> I'm seeing, for example (which may not be the best example..):
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
> G E T / s c r i p t s / . . %
> 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 2f../winnt/syste
> 2 f . . / w i n n t / s y s t e
> 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 35 63 GET /msadc/..%5c
> G E T / m s a d c . . . % 5 c
> 2E 2E 2F 2E 2E 25 35 63 2E 2E 2F 2E 2E 25 35 63 ../..%5c../..%5c
> . . / . . % 5 c . . / . . / 5 c
> 2F 2E 2E 35 35 2E 2E 2F 2E 2E 63 31 2E 2E 2F 2E /..55../..c1../.
> / . . 5 5 . . / . . c 1 . . / .
> and the other poster is saying that this is misrepresented,
> particularly the %5c.
> To quote him:
> "...Yes - or at least inappropriately for comparison with attack signatures of
> IIS Unicode directory traversal attempts on the Web. I believe that there is
> some sort of inappropriate translation on the way from the binary packet
> capture to the logs..."
> "...I have not figured out how %c0%af (a standard "overly long" encoding Unicode
> attack) eventually gets translated to %c on your system and others. I think
> I'd have to start at a binary level and get a stronger grasp of Unicode
> encoding options to provide a transformation. It is an exact match though
> for Bill McCarty's %c0%af capture that was altered in his email to %c..."
> I'm saying hex is hex...
> What think ye?
> I'm running snort 1.8.7 on a 2.2.14 kernel firewall box..
> - John
> Most people don't type their own logfiles; but, what do I care?
> PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the Snort-users