RE: IDS and Unicode

[Curt Wilson <netw3 () netw3 com>]

RFP's whisker (wiretrip.net) uses various methods to default pattern matching
IDS. I believe one of these methods is the use of unicode. So, based on this
information, I would gather that it IS a worthwhile technique since it's
in active use "in the wild".

How does RealSecure stack up with regards to protecting IIS? Does anyone have
any experience with this? We are thinking of a RealSecure implementation at
one
of my places of employ.

Thanks,
Curt Wilson
Netw3 Consulting


> But my point was more about using Unicode to hide the ".exe" string (and
others like "rdisk", "TFTP"). The goal being, is this a worthwhile
technique for testing IDSs, or is it too trivial?
> Here are portions from my IIS 4 log. The first has spaces in place of the
Unicode I used, the second and third show strings that are decoded from the
Unicode. In all cases, a legit string is obscured on the wire (inbound),
and in the IIS logs.
> GET, /winnt/system32/cmd.exe, /c+dir+C:/,
> GET, /scripts/..=C0%9v../winnt/system32/cmd.exe, /c+dir,
> GET, /scripts/..=C1%8s../winnt/system32/cmd.exe, /c+dir,
>
> Again, thanks much for all the feedback!


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   Netw3 Consulting  *   www.netw3.com    |
|    Internet Security, Networking, PC tech,  WWW hosting     |
| Netw3 Security Reading Room : www.netw3.com/documents.html  |
|  Serving Southern Illinois locally and the world virtually  |  
|            netw3 () netw3 com     618-303-NET3                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=