IDS and Unicode

From: Parth Galen (Parth_Galenat_private)
Date: Mon May 28 2001 - 10:10:04 PDT

Next message: Gamble: "Re: Application security eval - methodology"

Previous message: Filipe Almeida: "RE: RE: PIX and ttl"
Reply: Blurred Vision: "re: IDS and Unicode"
Reply: Kevin J. Menard, Jr.: "Re: IDS and Unicode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Recently I was pentesting a site and was noticed by a very good admin's homegrown IDS. His IDS was some batch files that keyed on ".exe" in the IIS logs. I have something similiar on my sites, using Snort and scanning the IIS logs.

So, I was thinking, could someone give me the Unicoded encoded string for "cmd.exe"? Then when pentesting sites like this (using a browser, .pl, or nc based call to the Unicode or Filename Double Decode exploits) I can also test their IDS. I would then recommend that they key on "%" when not followed by "20", since a "%" sign would be suspicious when not used to encode a space.

Thanks for your time and effort! Any feedback would be much appreciated! 

Parth 


*  Get free, secure online email at http://www.ziplip.com/  *

Next message: Gamble: "Re: Application security eval - methodology"
Previous message: Filipe Almeida: "RE: RE: PIX and ttl"
Reply: Blurred Vision: "re: IDS and Unicode"
Reply: Kevin J. Menard, Jr.: "Re: IDS and Unicode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 28 2001 - 18:26:47 PDT