Re: On IDS Evasion, Vulnerabilities, and Vendor Hype

From: Jeff Nathan (
Date: 10/09/01

Message-ID: <>
Date: Mon, 08 Oct 2001 16:34:13 -0700
From: Jeff Nathan <>
To: Jackie Chan <>
Subject: Re: On IDS Evasion, Vulnerabilities, and Vendor Hype

Jackie Chan wrote:
> Eric, I'm with you on the inability for large companies to act quickly
> with their technology, but uber fast on the marketing and spin... but the
> following passage form your email seems to miss its mark with me:
> "There is no simple pattern matching facility that will work for UTF-8
> encoding, unlike %u encoding."
> My question is, and forgive me if i'm being over simplistic here, but if
> "there is no simple pattern matching facility", then how exactly does it
> get decoded at the destination. It seems to me that if IIS can do it on
> the fly, that somewhere in the packet toss algorithms of IDS such a thing
> could be flagged or ruled out.
> Now obviously the location at which this check either gets performed, or
> does not, needs to be well qualified.
> -blue0ne
> --
> -blue0ne
> "The great bulk of my wealthy and educated friends regard me as a dangerous crank."
> - Theodore Roosevelt

It's called URI normalization and it's how many a detection engine
implement decoding of both utf-8 encoded URIs as well as %u encoded

To Erik's point, I think we all realize it's easier to cast stones than
to do the requisite research and actually solve a problem.


--            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein