Hi, Just released version 0.2 of NADS. NADS is a squid ACL helper which links to libnads, an HTTP URL normalization engine. The aim is to build a comprehensive HTTP application layer firewall that can withstand whisker style IDS evasion techniques.
New from 0.1 is the ability to map different sites to different emulation types eg: www.scaranmanga.co.uk:80 is set to Apache, while www.foobar.com:8080 is set to IIS. Of course, it is free software released under the terms of the GNU GPL v2. You can download it at: http://www.scaramanga.co.uk/nads/nads-0.2.tar.gz It currently normalizes the following evasion techniques: o Strips out query string o Hex encoding (including double hex encoding) o MS UTF-16 (%uNNNN) o Overlong UTF-8 encodings o Double slashes o Backslashes o Case normalization o . and .. normalized out (eg /./foo/../bar/ becomes /bar/) Here is an example. The URL starts like this (unicode exploit caught in the wild): /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe Then it gets hex decoded: /msadc/..%5c../..%5c../..%5c/..�^\../..�^\../..�^\../winnt/system32/cmd.exe Then it gets hex decoded again (the emulation type is set to IIS). /msadc/..\../..\../..\/..�^\../..�^\../..�^\../winnt/system32/cmd.exe Then overlong UTF-8 encodings are normalized: /msadc/..\../..\../..\/..\../..\../..\../winnt/system32/cmd.exe Then the path components are normalized: /msadc/../../../../../../../../../../../winnt/system32/cmd.exe Then the code throws up an error, due to accessing files outside the webroot. Future version will support fast signature matching too. Any comments and feedback are very welcome. -- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
