I've accidently found a way to bypass IDS detection for HTTP requests. I've seen this behaviour on some older version of IIS RealSecure network IDS and I wonder if this works on any other IDSes. That particular IDS was set up to reset connections that match attack signatures, so I could see immediately if it was detected or not: Request: GET /cgi-bin/phf HTTP/1.0 Connection reset Request: GET /cgi-bin/phf Connection reset Request: GET /cgi-bin/phf HTTP/12.0 Connection not reset, HTTP server replies "version not supported" Request: GET /cgi-bin/phf HTTP/0.9 Connection not reset, HTTP server replies "file not found" Apparently the last form of request allows to get a meaningful reply from HTTP server while IDS does not mind it. Apache and Netscape Entriprise will happily reply to the last form of request, didn't try it on other web servers. Alla.
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 11:48:40 PST