IDS mailing list archives

Re: BARE BYTE UNICODE ENCODING

From: Adam Baldwin <baldwnad () yahoo com>
Date: Tue, 1 Jun 2004 17:13:01 -0700 (PDT)

Comments inline...

What does it mean if the packet that trigger this
alert is the TCP "ACK" 
packet.

To understand some of the why aspects of why a
signature is being triggered you need to understand
the underlying protocol, I suggest TCP/IP Illustrated
by W. Richard Stevens (ISBN: 0201633469) 

After the 3-way TCP handshake (SYN, SYN+ACK, ACK) all
of your packets containing any data are going to have
the ACK flag set. (In a good little, abide by the
rules TCP session that is :) 

This data portion of the packet is going to be the
"interesting" part that the signature is going to look
at. In the case of the BARE BYTE UNICODE ENCODING
signature we are checking for that particular encoding
type. 

Below is some good info from the snort
(www.snort.org/docs) README.http_inspect doc

* bare_byte [yes/no] *
Bare byte encoding is an IIS trick that uses non-ASCII
chars as valid values in decoding UTF-8 values.  This
is NOT in the HTTP standard, as all non-ASCII values
have to be encoded with a %.  Bare byte encoding
allows the user to emulate an IIS server and interpret
non-standard encodings correctly.

The alert on this decoding should be enabled, because
there are no legitimate clients that encoded UTF-8
this way, since it is non-standard.

When I traced back, I couldn't find the
"SYN" packet.  Is this 
always the case that any packet that cause "BARE
BYTE UNICODE ENCODING" is 
the ACK packet?

It is very possible that the packet that triggered
that alert didn't have a SYN packet associated with
it. If it is a single packet or there is a series of
these packets, with no SYN packet in the same stream,
they may have been created by hand or with a tool.


Adam Baldwin
baldwnad () yahoo com


        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

BARE BYTE UNICODE ENCODING Annie Green (Jun 01)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
  - Network Traffic Flow learning and Simulation Mayank-Bhatnagar (Jun 18)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 02)
  - Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
    - Re: BARE BYTE UNICODE ENCODING Martin Roesch (Jun 07)
    - Re: BARE BYTE UNICODE ENCODING nick black (Jun 07)
    - RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 07)
    - Re: BARE BYTE UNICODE ENCODING Nigel Houghton (Jun 08)
- <Possible follow-ups>
- Re: BARE BYTE UNICODE ENCODING Annie Green (Jun 02)
  - Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)