0.9 was (is?) a valid HTTP version, so that is why Netscape/Apache (and most others) are answering the request properly. An IDS _should_ not care the HTTP version for a signature matching text on 'phf'. (of course, I suspect encoding /cgi-bin/phf string would also fool the IDS in this case...). Sullo > I've accidently found a way to bypass IDS detection for HTTP > requests. I've seen this behaviour on some older version of > IIS RealSecure network IDS and I wonder if this works on any > other IDSes. [snip] > Request: > GET /cgi-bin/phf HTTP/0.9 > Connection not reset, HTTP server replies "file not found" > > Apparently the last form of request allows to get a meaningful > reply from HTTP server while IDS does not mind it. > > Apache and Netscape Entriprise will happily reply to the last > form of request, didn't try it on other web servers. > > Alla. > > ____________________________________________________ http://www.cirt.net/ Home of the Nikto scanner, Default Passwords, Ports, SSIDs & more
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 18:35:20 PST