Showing results for 
Search instead for 
Did you mean: 

IDS Evasive Encoding

I have been seeing a lot of IDS Evasive Encoding

sig ID 5249.

The source IP (66.249.64.x)leads to Google Inc.

i would like to know if IE is vulnerable to this signature. I have got a feeling that this might be popup ad from google that our IDS is picking.

Any help will be apprecaited.Need to advise my client with the best possible solution

Thank you

3 Replies 3


I think this signature is in the same category as your earlier post about "IIS Double Decode Error".

What does the URL look like in your alarm context?

I would guess Google and others are getting more complicated with their URL structure, using some of the advanced features of HTTP. With the IIS double decode issue, and probably this issue, the URL contains embedded information in the path and not the in the key-value pairs in the URL arguments like we typically see.

Chances are this is not an actual attack, and hence IE is not vulnerable. But I would need to see the alert context to be certain.

I think this is what you asked for



The IDS is alerting on the "%2e" in your URL, which in some forms, can be a potentially evasive encoding for a "." in a filename.

This signature was created to detect people trying to change what the URL means by using escaped characters. We alert on file and protocol delimieters for this sig, things such as ".","/","\",CR,LF,NULL.

It appears to be used in an innocuous fashion in your case. We will need to revisit this signature in the future if this usage is becoming the 'norm'.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: