Hi,
Just released version 0.2 of NADS. NADS is a squid ACL helper which
links to libnads, an HTTP URL normalization engine. The aim is to build
a comprehensive HTTP application layer firewall that can withstand
whisker style IDS evasion techniques.
New from 0.1 is the ability to map different sites to different
emulation types eg: www.scaranmanga.co.uk:80 is set to Apache, while
www.foobar.com:8080 is set to IIS.
Of course, it is free software released under the terms of the GNU GPL
v2. You can download it at:
http://www.scaramanga.co.uk/nads/nads-0.2.tar.gz
It currently normalizes the following evasion techniques:
o Strips out query string
o Hex encoding (including double hex encoding)
o MS UTF-16 (%uNNNN)
o Overlong UTF-8 encodings
o Double slashes
o Backslashes
o Case normalization
o . and .. normalized out (eg /./foo/../bar/ becomes /bar/)
Here is an example. The URL starts like this (unicode exploit caught in
the wild):
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
Then it gets hex decoded:
/msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe
Then it gets hex decoded again (the emulation type is set to IIS).
/msadc/..\../..\../..\/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe
Then overlong UTF-8 encodings are normalized:
/msadc/..\../..\../..\/..\../..\../..\../winnt/system32/cmd.exe
Then the path components are normalized:
/msadc/../../../../../../../../../../../winnt/system32/cmd.exe
Then the code throws up an error, due to accessing files outside the
webroot.
Future version will support fast signature matching too.
Any comments and feedback are very welcome.
-- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7DReceived on Wed Jul 23 2003 - 07:59:51 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:15 MST