IDS mailing list archives
Re: BARE BYTE UNICODE ENCODING
From: "Annie Green" <annie_r_green () hotmail com>
Date: Wed, 02 Jun 2004 08:54:06 +0800
Hi AdamHow should I analyse further to find out the type of attack that my company got? Or if this is not an attack, how to find our which character in the packet that actually trigger the alert?
Regards, A.
From: Adam Baldwin <baldwnad () yahoo com> To: focus-ids () securityfocus com CC: Annie Green <annie_r_green () hotmail com> Subject: Re: BARE BYTE UNICODE ENCODING Date: Tue, 1 Jun 2004 17:13:01 -0700 (PDT) Comments inline... > What does it mean if the packet that trigger this > alert is the TCP "ACK" > packet. To understand some of the why aspects of why a signature is being triggered you need to understand the underlying protocol, I suggest TCP/IP Illustrated by W. Richard Stevens (ISBN: 0201633469) After the 3-way TCP handshake (SYN, SYN+ACK, ACK) all of your packets containing any data are going to have the ACK flag set. (In a good little, abide by the rules TCP session that is :) This data portion of the packet is going to be the "interesting" part that the signature is going to look at. In the case of the BARE BYTE UNICODE ENCODING signature we are checking for that particular encoding type. Below is some good info from the snort (www.snort.org/docs) README.http_inspect doc * bare_byte [yes/no] * Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly. The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard. > When I traced back, I couldn't find the > "SYN" packet. Is this > always the case that any packet that cause "BARE > BYTE UNICODE ENCODING" is > the ACK packet? It is very possible that the packet that triggered that alert didn't have a SYN packet associated with it. If it is a single packet or there is a series of these packets, with no SYN packet in the same stream, they may have been created by hand or with a tool. Adam Baldwin baldwnad () yahoo com __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
_________________________________________________________________ Find love on MSN Personals http://personals.msn.com.sg/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- BARE BYTE UNICODE ENCODING Annie Green (Jun 01)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- Network Traffic Flow learning and Simulation Mayank-Bhatnagar (Jun 18)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 02)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Martin Roesch (Jun 07)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 07)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 07)
- Re: BARE BYTE UNICODE ENCODING Nigel Houghton (Jun 08)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- <Possible follow-ups>
- Re: BARE BYTE UNICODE ENCODING Annie Green (Jun 02)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)