[Snort-users] UTF-8 and Unicode packet content under snort 1.8.7

John Sage jsage at ...2022...
Sat Aug 17 10:33:02 EDT 2002


/* loves replying to his own posts */

And in fact, locale -m on my firewall host returns:

UTF-8

and

UTF8

So, is this [below..] a non-issue for snort 1.8.7?


- John

On Sat, Aug 17, 2002 at 09:21:11AM -0700, John Sage wrote:
> Hello world..
> 
> I'm currently involved in a discussion on another list where the
> poster is stating that a Linux-based snort host, not updated to
> properly handle UTF-8/Unicode encodings, will not correctly represent
> binary-logged packet content that contains UTF-8/Unicode characters.
> 
> The specific issue is the representation of IIS/Unicode directory
> traversal exploits.
> 
> I'm seeing, for example (which may not be the best example..):
> 
> <snip>
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
>  G  E  T     /  s  c  r  i  p  t  s  /  .  .  %
> 
> 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65  2f../winnt/syste
>  2  f  .  .  /  w  i  n  n  t  /  s  y  s  t  e
> <snip>
> 
> <snip>
> 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 35 63  GET /msadc/..%5c
>  G  E  T     /  m  s  a  d  c  .  .  .  %  5  c
> 
> 2E 2E 2F 2E 2E 25 35 63 2E 2E 2F 2E 2E 25 35 63  ../..%5c../..%5c
>  .  .  /  .  .  %  5  c  .  .  /  .  .  /  5  c
> 
> 2F 2E 2E 35 35 2E 2E 2F 2E 2E 63 31 2E 2E 2F 2E  /..55../..c1../.
>  /  .  .  5  5  .  .  /  .  .  c  1  .  .  /  .
> <snip>
> 
> and the other poster is saying that this is misrepresented,
> particularly the %5c.
> 
> To quote him:
> 
> <snip>
> "...Yes - or at least inappropriately for comparison with attack signatures of
> IIS Unicode directory traversal attempts on the Web. I believe that there is
> some sort of inappropriate translation on the way from the binary packet
> capture to the logs..."
> <snip>
> "...I have not figured out how %c0%af (a standard "overly long" encoding Unicode
> attack) eventually gets translated to %c on your system and others. I think
> I'd have to start at a binary level and get a stronger grasp of Unicode
> encoding options to provide a transformation. It is an exact match though
> for Bill McCarty's %c0%af capture that was altered in his email to %c..."
> <snip>
> 
> 
> I'm saying hex is hex...
> 
> What think ye?
> 
> I'm running snort 1.8.7 on a 2.2.14 kernel firewall box..
> 
> 
> - John
> -- 
> Most people don't type their own logfiles;  but, what do I care?
> 
> PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list