Vulnerability Development mailing list archives
Re: Possible IDS-evasion technique
From: Vadim Berezniker <vadim () berezniker com>
Date: Fri, 15 Feb 2002 21:39:22 -0500
Sullo sq wrote: > 0.9 was (is?) a valid HTTP version, so that is why Netscape/Apache > (and most others) are answering the request properly. An IDS > _should_ not care the HTTP version for a signature matching text on > 'phf'. (of course, I suspect encoding /cgi-bin/phf string would > also fool the IDS in this case...). > > Sullo > >Try sending HTTP/239.73, and Apache (and probably others) will still respond.
I believe they just respond to it as if it was a 1.1 request. I don't know what it does when you specify something like 0.1 -- WWW: http://www.kryptolus.com AIM: Kryptolus
Current thread:
- Possible IDS-evasion technique Alla Bezroutchko (Feb 15)
- <Possible follow-ups>
- RE: Possible IDS-evasion technique Gary Golomb (Feb 15)
- Re: Possible IDS-evasion technique Sullo sq (Feb 15)
- Re: Possible IDS-evasion technique Vadim Berezniker (Feb 16)
- Re: Possible IDS-evasion technique Burak DAYIOGLU (Feb 27)
- Re: Possible IDS-evasion technique Vadim Berezniker (Feb 16)