Snort mailing list archives
Re: UTF-8 and Unicode packet content under snort 1.8.7
From: John Sage <jsage () finchhaven com>
Date: Sat, 17 Aug 2002 10:32:17 -0700
/* loves replying to his own posts */ And in fact, locale -m on my firewall host returns: UTF-8 and UTF8 So, is this [below..] a non-issue for snort 1.8.7? - John On Sat, Aug 17, 2002 at 09:21:11AM -0700, John Sage wrote:
Hello world.. I'm currently involved in a discussion on another list where the poster is stating that a Linux-based snort host, not updated to properly handle UTF-8/Unicode encodings, will not correctly represent binary-logged packet content that contains UTF-8/Unicode characters. The specific issue is the representation of IIS/Unicode directory traversal exploits. I'm seeing, for example (which may not be the best example..): <snip> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% G E T / s c r i p t s / . . % 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 2f../winnt/syste 2 f . . / w i n n t / s y s t e <snip> <snip> 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 35 63 GET /msadc/..%5c G E T / m s a d c . . . % 5 c 2E 2E 2F 2E 2E 25 35 63 2E 2E 2F 2E 2E 25 35 63 ../..%5c../..%5c . . / . . % 5 c . . / . . / 5 c 2F 2E 2E 35 35 2E 2E 2F 2E 2E 63 31 2E 2E 2F 2E /..55../..c1../. / . . 5 5 . . / . . c 1 . . / . <snip> and the other poster is saying that this is misrepresented, particularly the %5c. To quote him: <snip> "...Yes - or at least inappropriately for comparison with attack signatures of IIS Unicode directory traversal attempts on the Web. I believe that there is some sort of inappropriate translation on the way from the binary packet capture to the logs..." <snip> "...I have not figured out how %c0%af (a standard "overly long" encoding Unicode attack) eventually gets translated to %c on your system and others. I think I'd have to start at a binary level and get a stronger grasp of Unicode encoding options to provide a transformation. It is an exact match though for Bill McCarty's %c0%af capture that was altered in his email to %c..." <snip> I'm saying hex is hex... What think ye? I'm running snort 1.8.7 on a 2.2.14 kernel firewall box.. - John -- Most people don't type their own logfiles; but, what do I care? PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 J. Craig Woods (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 Chris Green (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 18)