Possible IDS-evasion technique
From: Alla Bezroutchko (alla@scanit.be)Date: 02/15/02
- Previous message: John Adair: "RE: slocate bug."
- Next in thread: Gary Golomb: "RE: Possible IDS-evasion technique"
- Reply: Gary Golomb: "RE: Possible IDS-evasion technique"
- Reply: Sullo sq : "Re: Possible IDS-evasion technique"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Feb 2002 18:20:11 +0100 From: Alla Bezroutchko <alla@scanit.be> To: vuln-dev@securityfocus.com
I've accidently found a way to bypass IDS detection for HTTP
requests. I've seen this behaviour on some older version of
IIS RealSecure network IDS and I wonder if this works on any
other IDSes.
That particular IDS was set up to reset connections that match
attack signatures, so I could see immediately if it was detected
or not:
Request:
GET /cgi-bin/phf HTTP/1.0
Connection reset
Request:
GET /cgi-bin/phf
Connection reset
Request:
GET /cgi-bin/phf HTTP/12.0
Connection not reset, HTTP server replies "version not supported"
Request:
GET /cgi-bin/phf HTTP/0.9
Connection not reset, HTTP server replies "file not found"
Apparently the last form of request allows to get a meaningful
reply from HTTP server while IDS does not mind it.
Apache and Netscape Entriprise will happily reply to the last
form of request, didn't try it on other web servers.
Alla.
- Previous message: John Adair: "RE: slocate bug."
- Next in thread: Gary Golomb: "RE: Possible IDS-evasion technique"
- Reply: Gary Golomb: "RE: Possible IDS-evasion technique"
- Reply: Sullo sq : "Re: Possible IDS-evasion technique"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
