RE: IDS and Unicode

From: Parth Galen (Parth_Galenat_private)
Date: Tue Jun 05 2001 - 09:43:53 PDT

  • Next message: Ben Meghreblian: "Re: How secure are dongles for copy-protection?"

    Kevin (and all the others who have replied), thanks MUCH. I appreciate the helpful feedback.
    
    You are so right! There will be (many) Unicode strings that are completly legit (space,;:). You would need to take your site's use of Unicode strings into consideration before filtering any Unicode.
    
    But my point was more about using Unicode to hide the ".exe" string (and others like "rdisk", "TFTP"). The goal being, is this a worthwhile technique for testing IDSs, or is it too trivial?
    
    Here are portions from my IIS 4 log. The first has spaces in place of the Unicode I used, the second and third show strings that are decoded from the Unicode. In all cases, a legit string is obscured on the wire (inbound), and in the IIS logs.
    
    GET, /winnt/system32/cmd.exe, /c+dir+C:/,
    GET, /scripts/..=C0%9v../winnt/system32/cmd.exe, /c+dir,
    GET, /scripts/..=C1%8s../winnt/system32/cmd.exe, /c+dir,
    
    Again, thanks much for all the feedback!
    



    This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 12:49:30 PDT