Vulnerability Development mailing list archives
Possible IDS-evasion technique
From: Alla Bezroutchko <alla () scanit be>
Date: Fri, 15 Feb 2002 18:20:11 +0100
I've accidently found a way to bypass IDS detection for HTTP requests. I've seen this behaviour on some older version of IIS RealSecure network IDS and I wonder if this works on any other IDSes. That particular IDS was set up to reset connections that match attack signatures, so I could see immediately if it was detected or not: Request: GET /cgi-bin/phf HTTP/1.0 Connection reset Request: GET /cgi-bin/phf Connection reset Request: GET /cgi-bin/phf HTTP/12.0 Connection not reset, HTTP server replies "version not supported" Request: GET /cgi-bin/phf HTTP/0.9 Connection not reset, HTTP server replies "file not found" Apparently the last form of request allows to get a meaningful reply from HTTP server while IDS does not mind it. Apache and Netscape Entriprise will happily reply to the last form of request, didn't try it on other web servers. Alla.
Current thread:
- Possible IDS-evasion technique Alla Bezroutchko (Feb 15)
- <Possible follow-ups>
- RE: Possible IDS-evasion technique Gary Golomb (Feb 15)
- Re: Possible IDS-evasion technique Sullo sq (Feb 15)
- Re: Possible IDS-evasion technique Vadim Berezniker (Feb 16)
- Re: Possible IDS-evasion technique Burak DAYIOGLU (Feb 27)
- Re: Possible IDS-evasion technique Vadim Berezniker (Feb 16)