Re: On IDS Evasion, Vulnerabilities, and Vendor Hype

From: Jeff Nathan (jeff@wwti.com)
Date: 10/09/01


Message-ID: <3BC237F5.BFE7FEED@wwti.com>
Date: Mon, 08 Oct 2001 16:34:13 -0700
From: Jeff Nathan <jeff@wwti.com>
To: Jackie Chan <blue0ne@digitz.org>
Subject: Re: On IDS Evasion, Vulnerabilities, and Vendor Hype

Jackie Chan wrote:
>
> Eric, I'm with you on the inability for large companies to act quickly
> with their technology, but uber fast on the marketing and spin... but the
> following passage form your email seems to miss its mark with me:
>
> "There is no simple pattern matching facility that will work for UTF-8
> encoding, unlike %u encoding."
>
> My question is, and forgive me if i'm being over simplistic here, but if
> "there is no simple pattern matching facility", then how exactly does it
> get decoded at the destination. It seems to me that if IIS can do it on
> the fly, that somewhere in the packet toss algorithms of IDS such a thing
> could be flagged or ruled out.
>
> Now obviously the location at which this check either gets performed, or
> does not, needs to be well qualified.
>
> -blue0ne
>
> --
> -blue0ne
> http://www.digitz.org
>
> "The great bulk of my wealthy and educated friends regard me as a dangerous crank."
> - Theodore Roosevelt

It's called URI normalization and it's how many a detection engine
implement decoding of both utf-8 encoded URIs as well as %u encoded
URIs.

To Erik's point, I think we all realize it's easier to cast stones than
to do the requisite research and actually solve a problem.

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein