Hi, That's an anti-IDS technique. CUM security toolkit lets you modify a lot of headers. js Joao Gouveia wrote: >Hello list, > > >I've got today a series of alerts logged on my IDS regarding multiple >known web servers/applications vulnerabilities. >On a normal situation, I would find that "normal", since it happens on a >regular basis. >The strange thing of this scan, with fixed source I.P., was that, by >analizing packet payload, I noticed that the User-Agent host header user >contained diferent (very diferent ) values for each request. And I do >mean a diferent user-agent for each one. >The first thing that came to mind was that it might just be gateway or >some kind of proxy forwarding the requests. But I would find that rather >dificult because mainly because of two facts: >A - Source port allways increments by one. >B - All requests (96) where made on an interval window of 7 seconds. > >My question is simple and related only with curiosity. Does anyone here >knows of a tool that acts like this? > >For the curious, the user-agent's sent where all variations of: >Mozilla/3.01 >Mozilla/4.0 >Mozilla/4.6 >Mozilla/4.7 >Mozilla/4.72 >Mozilla/4.73 > > >Thanks in advance, > >Joao Gouveia > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > >. > > > -- Jorge Silva ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 08:26:25 PDT