IDS mailing list archives
Re: BARE BYTE UNICODE ENCODING
From: Adam Baldwin <baldwnad () yahoo com>
Date: Tue, 1 Jun 2004 17:13:01 -0700 (PDT)
Comments inline...
What does it mean if the packet that trigger this alert is the TCP "ACK" packet.
To understand some of the why aspects of why a signature is being triggered you need to understand the underlying protocol, I suggest TCP/IP Illustrated by W. Richard Stevens (ISBN: 0201633469) After the 3-way TCP handshake (SYN, SYN+ACK, ACK) all of your packets containing any data are going to have the ACK flag set. (In a good little, abide by the rules TCP session that is :) This data portion of the packet is going to be the "interesting" part that the signature is going to look at. In the case of the BARE BYTE UNICODE ENCODING signature we are checking for that particular encoding type. Below is some good info from the snort (www.snort.org/docs) README.http_inspect doc * bare_byte [yes/no] * Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly. The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard.
When I traced back, I couldn't find the "SYN" packet. Is this always the case that any packet that cause "BARE BYTE UNICODE ENCODING" is the ACK packet?
It is very possible that the packet that triggered that alert didn't have a SYN packet associated with it. If it is a single packet or there is a series of these packets, with no SYN packet in the same stream, they may have been created by hand or with a tool. Adam Baldwin baldwnad () yahoo com __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- BARE BYTE UNICODE ENCODING Annie Green (Jun 01)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- Network Traffic Flow learning and Simulation Mayank-Bhatnagar (Jun 18)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 02)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Martin Roesch (Jun 07)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 07)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 07)
- Re: BARE BYTE UNICODE ENCODING Nigel Houghton (Jun 08)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- <Possible follow-ups>
- Re: BARE BYTE UNICODE ENCODING Annie Green (Jun 02)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)