Re: Possible IDS-evasion technique
From: Sullo sq (sq@cirt.net)Date: 02/16/02
- Previous message: Wodahs Latigid: "Re: slocate bug."
- Maybe in reply to: Alla Bezroutchko: "Possible IDS-evasion technique"
- Next in thread: Vadim Berezniker: "Re: Possible IDS-evasion technique"
- Reply: Vadim Berezniker: "Re: Possible IDS-evasion technique"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Sullo sq " <sq@cirt.net> To: Alla Bezroutchko <alla@scanit.be>, vuln-dev@securityfocus.com Date: Fri, 15 Feb 2002 18:05:14 -0500
0.9 was (is?) a valid HTTP version, so that is why Netscape/Apache (and most others) are answering the request properly. An IDS _should_ not care the HTTP version for a signature matching text on 'phf'. (of course, I suspect encoding /cgi-bin/phf string would also fool the IDS in this case...).
Sullo
> I've accidently found a way to bypass IDS detection for HTTP
> requests. I've seen this behaviour on some older version of
> IIS RealSecure network IDS and I wonder if this works on any
> other IDSes.
[snip]
> Request:
> GET /cgi-bin/phf HTTP/0.9
> Connection not reset, HTTP server replies "file not found"
>
> Apparently the last form of request allows to get a meaningful
> reply from HTTP server while IDS does not mind it.
>
> Apache and Netscape Entriprise will happily reply to the last
> form of request, didn't try it on other web servers.
>
> Alla.
>
>
____________________________________________________
http://www.cirt.net/
Home of the Nikto scanner, Default Passwords, Ports, SSIDs & more
- Previous message: Wodahs Latigid: "Re: slocate bug."
- Maybe in reply to: Alla Bezroutchko: "Possible IDS-evasion technique"
- Next in thread: Vadim Berezniker: "Re: Possible IDS-evasion technique"
- Reply: Vadim Berezniker: "Re: Possible IDS-evasion technique"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
