Re: On IDS Evasion, Vulnerabilities, and Vendor HypeFrom: Jeff Nathan (firstname.lastname@example.org)
- Previous message: Kurt Seifried: "Re: IDS signature managment"
- In reply to: Jackie Chan: "Re: On IDS Evasion, Vulnerabilities, and Vendor Hype"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BC237F5.BFE7FEED@wwti.com> Date: Mon, 08 Oct 2001 16:34:13 -0700 From: Jeff Nathan <email@example.com> To: Jackie Chan <firstname.lastname@example.org> Subject: Re: On IDS Evasion, Vulnerabilities, and Vendor Hype
Jackie Chan wrote:
> Eric, I'm with you on the inability for large companies to act quickly
> with their technology, but uber fast on the marketing and spin... but the
> following passage form your email seems to miss its mark with me:
> "There is no simple pattern matching facility that will work for UTF-8
> encoding, unlike %u encoding."
> My question is, and forgive me if i'm being over simplistic here, but if
> "there is no simple pattern matching facility", then how exactly does it
> get decoded at the destination. It seems to me that if IIS can do it on
> the fly, that somewhere in the packet toss algorithms of IDS such a thing
> could be flagged or ruled out.
> Now obviously the location at which this check either gets performed, or
> does not, needs to be well qualified.
> "The great bulk of my wealthy and educated friends regard me as a dangerous crank."
> - Theodore Roosevelt
It's called URI normalization and it's how many a detection engine
implement decoding of both utf-8 encoded URIs as well as %u encoded
To Erik's point, I think we all realize it's easier to cast stones than
to do the requisite research and actually solve a problem.
-- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein