IDS Evasive Encoding

managed.security · ‎09-22-2004

I have been seeing a lot of IDS Evasive Encoding

sig ID 5249.

The source IP (66.249.64.x)leads to Google Inc.

i would like to know if IE is vulnerable to this signature. I have got a feeling that this might be popup ad from google that our IDS is picking.

Any help will be apprecaited.Need to advise my client with the best possible solution

Thank you

bkubesh · ‎09-22-2004

I think this signature is in the same category as your earlier post about "IIS Double Decode Error".

What does the URL look like in your alarm context?

I would guess Google and others are getting more complicated with their URL structure, using some of the advanced features of HTTP. With the IIS double decode issue, and probably this issue, the URL contains embedded information in the path and not the in the key-value pairs in the URL arguments like we typically see.

Chances are this is not an actual attack, and hence IE is not vulnerable. But I would need to see the alert context to be certain.

managed.security · ‎09-22-2004

I think this is what you asked for

Get/servlet/webacc/StatsFin+2%2exls?

ROVUIC9zZXJbGVOL3dIYmFjYy9TdGF0ZpbisyJTJleGxzPw==

bkubesh · ‎09-22-2004

The IDS is alerting on the "%2e" in your URL, which in some forms, can be a potentially evasive encoding for a "." in a filename.

This signature was created to detect people trying to change what the URL means by using escaped characters. We alert on file and protocol delimieters for this sig, things such as ".","/","\",CR,LF,NULL.

It appears to be used in an innocuous fashion in your case. We will need to revisit this signature in the future if this usage is becoming the 'norm'.