RE: IDS and Unicode

[Parth Galen <Parth_Galen () ziplip com>]

Kevin (and all the others who have replied), thanks MUCH. I appreciate the helpful feedback.

You are so right! There will be (many) Unicode strings that are completly legit (space,;:). You would need to take your 
site's use of Unicode strings into consideration before filtering any Unicode.

But my point was more about using Unicode to hide the ".exe" string (and others like "rdisk", "TFTP"). The goal being, 
is this a worthwhile technique for testing IDSs, or is it too trivial?

Here are portions from my IIS 4 log. The first has spaces in place of the Unicode I used, the second and third show 
strings that are decoded from the Unicode. In all cases, a legit string is obscured on the wire (inbound), and in the 
IIS logs.

GET, /winnt/system32/cmd.exe, /c+dir+C:/,
GET, /scripts/..=C0%9v../winnt/system32/cmd.exe, /c+dir,
GET, /scripts/..=C1%8s../winnt/system32/cmd.exe, /c+dir,

Again, thanks much for all the feedback!