Snort mailing list archives
The pattern-matching evasion to network ids
From: "wangyc" <wangyc () nci ac cn>
Date: Thu, 26 Jul 2001 16:40:20 +0800
Hi: Eeveryone,I want to asked an old question, and want to get some information or advices. I wonder how can we deal with some of the evasion ways the attacker usually used to fool our NIDS. such as,they used: GET /%63%67%69%2d%62in/r%77%77wsh%65ll%2ep%6c HTTP/1.0 GET %2f%63g%69-bi%6e%2f%74%65st%2dc%67%69 HTTP/1.0 So, some of the pattern-matching IDS can't correctly understand ,and fail to find these attack.but the Web server can comprehend them and will be attacked. Maybe we should add some higher-level protocol parsing mechanism,do what a real webserver do,but can anyone tell us some easy way to settle this problem. or if anyone know there are some opensource software already achieve the string-convert work ? Thanks a lot!
Current thread:
- The pattern-matching evasion to network ids wangyc (Jul 26)
- Re: The pattern-matching evasion to network ids Martin Roesch (Jul 26)