RFP's whisker (wiretrip.net) uses various methods to default pattern matching IDS. I believe one of these methods is the use of unicode. So, based on this information, I would gather that it IS a worthwhile technique since it's in active use "in the wild". How does RealSecure stack up with regards to protecting IIS? Does anyone have any experience with this? We are thinking of a RealSecure implementation at one of my places of employ. Thanks, Curt Wilson Netw3 Consulting >But my point was more about using Unicode to hide the ".exe" string (and others like "rdisk", "TFTP"). The goal being, is this a worthwhile technique for testing IDSs, or is it too trivial? > >Here are portions from my IIS 4 log. The first has spaces in place of the Unicode I used, the second and third show strings that are decoded from the Unicode. In all cases, a legit string is obscured on the wire (inbound), and in the IIS logs. > >GET, /winnt/system32/cmd.exe, /c+dir+C:/, >GET, /scripts/..=C0%9v../winnt/system32/cmd.exe, /c+dir, >GET, /scripts/..=C1%8s../winnt/system32/cmd.exe, /c+dir, > >Again, thanks much for all the feedback! > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3at_private 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 06:54:42 PDT