Re: IDS and Unicode

["Kevin J. Menard, Jr." <kmenard () WPI EDU>]

Hey Parth,


Monday, May 28, 2001, 1:10:04 PM, you wrote:

PG> Recently I was pentesting a site and was noticed by a very good admin's homegrown IDS. His IDS was some batch files 
that keyed on ".exe" in the IIS logs. I have something similiar on my sites,
PG> using Snort and scanning the IIS logs.

PG> So, I was thinking, could someone give me the Unicoded encoded string for "cmd.exe"? Then when pentesting sites 
like this (using a browser, .pl, or nc based call to the Unicode or Filename Double
PG> Decode exploits) I can also test their IDS. I would then recommend that they key on "%" when not followed by "20", 
since a "%" sign would be suspicious when not used to encode a space.

Not true.  I work with many URLs that use %3A for example.  There are
legitimate reasons to use % other than in %20, and what you're
suggesting would block out a lot of URLs.  (In my case, the ":" is
used in a CGI bug script submission -- blocking this would not be a
good idea).

PG> Thanks for your time and effort! Any feedback would be much appreciated! 

PG> Parth

-- Kevin