Archive: http://msgs.securepoint.com/ids FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-ownerat_private NOTE: Remove this section from reply msgs otherwise the msg will bounce. SPAM: DO NOT send unsolicted mail to this list. UNSUBSCRIBE: email "unsubscribe ids" to majordomoat_private ----------------------------------------------------------------------------- Jackie Chan wrote: > > Eric, I'm with you on the inability for large companies to act quickly > with their technology, but uber fast on the marketing and spin... but the > following passage form your email seems to miss its mark with me: > > "There is no simple pattern matching facility that will work for UTF-8 > encoding, unlike %u encoding." > > My question is, and forgive me if i'm being over simplistic here, but if > "there is no simple pattern matching facility", then how exactly does it > get decoded at the destination. It seems to me that if IIS can do it on > the fly, that somewhere in the packet toss algorithms of IDS such a thing > could be flagged or ruled out. > > Now obviously the location at which this check either gets performed, or > does not, needs to be well qualified. > > -blue0ne > > -- > -blue0ne > http://www.digitz.org > > "The great bulk of my wealthy and educated friends regard me as a dangerous crank." > - Theodore Roosevelt It's called URI normalization and it's how many a detection engine implement decoding of both utf-8 encoded URIs as well as %u encoded URIs. To Erik's point, I think we all realize it's easier to cast stones than to do the requisite research and actually solve a problem. -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 02:15:21 PDT