OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Unicode and IDS evasion
From: Dug Song (dugsongMONKEY.ORG)
Date: Mon Oct 30 2000 - 07:55:48 CST

On Sun, Oct 29, 2000 at 11:06:39PM -0500, Eric Hacker wrote:

> I feel fairly confident that UTF8 encoding of an attack
> would bypass most if not all network IDS today.

as well as RPC fragmentation, Telnet keystroke editing, and any other
application-layer tricks which force a passive monitor to bifurcate
analysis. i've been holding off on releasing fragproxy to add support
for new attacks like this:

        -W3: www-3: HTTP URI Unicode encoding

> Therefore, when reduction or cononicalization takes place in the resource
> location, it is an event worth noting. I repeat: the presence of reduction
> or cononicalization within the resource location part of a URL is itself
> anomalous, likely malicious, and worthy of a NIDS alert.

this is the same approach as IDSs which only complain when they see
fragmented traffic. this isn't sufficient. or are you also going to
complain when you see ^H or ^? in Telnet traffic?

> Here however, is a clear advantage to protocol analysis. There is no way a
> standard pattern matching IDS can perform Unicode reduction.

not true. a pattern matching IDS can simply canonicalize its input
before inspection. pattern matching (as a variant of misuse detection)
and equality matching (as a variant of anomaly detection) are quite
different - and real "protocol analysis" falls in the latter category.

further - there is no real solution to the general problem of
desynchronizing a passive network monitor, other than to normalize the
traffic before it. see the archives of the other IDS list for pointers:

        http://msgs.securepoint.com/ids/

-d.

p.s. FOCUS-IDS should probably be merged with Justin Lister's original
     IDS list - is there a reason it hasn't been? 

---
http://www.monkey.org/~dugsong/