Snort mailing list archives

Re: UTF-8 and Unicode packet content under snort 1.8.7

From: John Sage <jsage () finchhaven com>
Date: Sat, 17 Aug 2002 10:32:17 -0700

/* loves replying to his own posts */

And in fact, locale -m on my firewall host returns:

UTF-8

and

UTF8

So, is this [below..] a non-issue for snort 1.8.7?


- John

On Sat, Aug 17, 2002 at 09:21:11AM -0700, John Sage wrote:

Hello world..

I'm currently involved in a discussion on another list where the
poster is stating that a Linux-based snort host, not updated to
properly handle UTF-8/Unicode encodings, will not correctly represent
binary-logged packet content that contains UTF-8/Unicode characters.

The specific issue is the representation of IIS/Unicode directory
traversal exploits.

I'm seeing, for example (which may not be the best example..):

<snip>
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
 G  E  T     /  s  c  r  i  p  t  s  /  .  .  %

32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65  2f../winnt/syste
 2  f  .  .  /  w  i  n  n  t  /  s  y  s  t  e
<snip>

<snip>
47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 35 63  GET /msadc/..%5c
 G  E  T     /  m  s  a  d  c  .  .  .  %  5  c

2E 2E 2F 2E 2E 25 35 63 2E 2E 2F 2E 2E 25 35 63  ../..%5c../..%5c
 .  .  /  .  .  %  5  c  .  .  /  .  .  /  5  c

2F 2E 2E 35 35 2E 2E 2F 2E 2E 63 31 2E 2E 2F 2E  /..55../..c1../.
 /  .  .  5  5  .  .  /  .  .  c  1  .  .  /  .
<snip>

and the other poster is saying that this is misrepresented,
particularly the %5c.

To quote him:

<snip>
"...Yes - or at least inappropriately for comparison with attack signatures of
IIS Unicode directory traversal attempts on the Web. I believe that there is
some sort of inappropriate translation on the way from the binary packet
capture to the logs..."
<snip>
"...I have not figured out how %c0%af (a standard "overly long" encoding Unicode
attack) eventually gets translated to %c on your system and others. I think
I'd have to start at a binary level and get a stronger grasp of Unicode
encoding options to provide a transformation. It is an exact match though
for Bill McCarty's %c0%af capture that was altered in his email to %c..."
<snip>


I'm saying hex is hex...

What think ye?

I'm running snort 1.8.7 on a 2.2.14 kernel firewall box..


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 J. Craig Woods (Aug 17)
  - Re: UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 17)
- Re: UTF-8 and Unicode packet content under snort 1.8.7 Chris Green (Aug 17)
  - Re: UTF-8 and Unicode packet content under snort 1.8.7 John Sage (Aug 18)