Re: BARE BYTE UNICODE ENCODING

From: Adam Baldwin (baldwnad_at_yahoo.com)
Date: 06/02/04

  • Next message: Jose Nazario: "RE: Suggestions"
    Date: Tue, 1 Jun 2004 17:13:01 -0700 (PDT)
    To: focus-ids@securityfocus.com
    
    

    Comments inline...

    > What does it mean if the packet that trigger this
    > alert is the TCP "ACK"
    > packet.
    To understand some of the why aspects of why a
    signature is being triggered you need to understand
    the underlying protocol, I suggest TCP/IP Illustrated
    by W. Richard Stevens (ISBN: 0201633469)

    After the 3-way TCP handshake (SYN, SYN+ACK, ACK) all
    of your packets containing any data are going to have
    the ACK flag set. (In a good little, abide by the
    rules TCP session that is :)

    This data portion of the packet is going to be the
    "interesting" part that the signature is going to look
    at. In the case of the BARE BYTE UNICODE ENCODING
    signature we are checking for that particular encoding
    type.

    Below is some good info from the snort
    (www.snort.org/docs) README.http_inspect doc

    * bare_byte [yes/no] *
    Bare byte encoding is an IIS trick that uses non-ASCII
    chars as valid values in decoding UTF-8 values. This
    is NOT in the HTTP standard, as all non-ASCII values
    have to be encoded with a %. Bare byte encoding
    allows the user to emulate an IIS server and interpret
    non-standard encodings correctly.

    The alert on this decoding should be enabled, because
    there are no legitimate clients that encoded UTF-8
    this way, since it is non-standard.

    > When I traced back, I couldn't find the
    > "SYN" packet. Is this
    > always the case that any packet that cause "BARE
    > BYTE UNICODE ENCODING" is
    > the ACK packet?
    It is very possible that the packet that triggered
    that alert didn't have a SYN packet associated with
    it. If it is a single packet or there is a series of
    these packets, with no SYN packet in the same stream,
    they may have been created by hand or with a tool.

    Adam Baldwin
    baldwnad@yahoo.com

            
                    
    __________________________________
    Do you Yahoo!?
    Friends. Fun. Try the all-new Yahoo! Messenger.
    http://messenger.yahoo.com/

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Jose Nazario: "RE: Suggestions"

    Relevant Pages

    • Re: how much size is enough ?
      ... If I assume my minimum rx packet length of 64 bytes and maximum packet ... You are not going to be able to do 200 metre segments with existing ... and available fibre types) affects the bit encoding used, ... The 802.3ae-2002 standard indicates that a conservative delay estimate ...
      (comp.dcom.lans.ethernet)
    • Re: BARE BYTE UNICODE ENCODING
      ... How should I analyse further to find out the type of attack that my company ... >> What does it mean if the packet that trigger this ... In the case of the BARE BYTE UNICODE ENCODING ...
      (Focus-IDS)
    • Re: How do you get the number of bytes in a string
      ... So you're transmitting the string in this packet, ... If you know the encoding, just convert the string into a byte ... array using that encoding and find the length of the array. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: VAD, silence, and comfort noise
      ... packet and detect whether their is voice in it or none. ... please note that the voice activity detection is apart from the actual encoding that Speex does and that i am able to use the VAD functionality minus the encoding successfully. ...
      (microsoft.public.win32.programmer.mmedia)
    • Re: [fw-wiz] Netscreen firewalls
      ... the transparent bridge mode is quite good, ... the default, out of the box transport mechanism is packet forwarding only, ... comparison against a signature is typically the way that enforcement is ...
      (Firewall-Wizards)