Vulnerability Development mailing list archives
Re: Possible IDS-evasion technique
From: "Sullo sq " <sq () cirt net>
Date: Fri, 15 Feb 2002 18:05:14 -0500
0.9 was (is?) a valid HTTP version, so that is why Netscape/Apache (and most others) are answering the request properly. An IDS _should_ not care the HTTP version for a signature matching text on 'phf'. (of course, I suspect encoding /cgi-bin/phf string would also fool the IDS in this case...). Sullo
I've accidently found a way to bypass IDS detection for HTTP requests. I've seen this behaviour on some older version of IIS RealSecure network IDS and I wonder if this works on any other IDSes.
[snip]
Request: GET /cgi-bin/phf HTTP/0.9 Connection not reset, HTTP server replies "file not found" Apparently the last form of request allows to get a meaningful reply from HTTP server while IDS does not mind it. Apache and Netscape Entriprise will happily reply to the last form of request, didn't try it on other web servers. Alla.
____________________________________________________ http://www.cirt.net/ Home of the Nikto scanner, Default Passwords, Ports, SSIDs & more
Current thread:
- Possible IDS-evasion technique Alla Bezroutchko (Feb 15)
- <Possible follow-ups>
- RE: Possible IDS-evasion technique Gary Golomb (Feb 15)
- Re: Possible IDS-evasion technique Sullo sq (Feb 15)
- Re: Possible IDS-evasion technique Vadim Berezniker (Feb 16)
- Re: Possible IDS-evasion technique Burak DAYIOGLU (Feb 27)
- Re: Possible IDS-evasion technique Vadim Berezniker (Feb 16)