Re: Possible IDS-evasion technique

From: Vadim Berezniker (vadimat_private)
Date: Fri Feb 15 2002 - 18:39:22 PST

Next message: Kurt Seifried: "Re: slocate bug."

Previous message: Aramis Orlando: "VIM Buffer Overflow"
In reply to: Sullo sq : "Re: Possible IDS-evasion technique"
Next in thread: Burak DAYIOGLU: "Re: Possible IDS-evasion technique"
Reply: Burak DAYIOGLU: "Re: Possible IDS-evasion technique"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sullo sq wrote:
 > 0.9 was (is?) a valid HTTP version, so that is why Netscape/Apache
 > (and most others) are answering the request properly.  An IDS
 > _should_ not care the HTTP version for a signature matching text on
 > 'phf'.  (of course, I suspect encoding /cgi-bin/phf string would
 > also fool the IDS in this case...).
 >
 > Sullo
 >
 >

Try sending HTTP/239.73, and Apache (and probably others) will still 
respond.
I believe they just respond to it as if it was a 1.1 request.
I don't know what it does when you specify something like 0.1

-- 
WWW: http://www.kryptolus.com
AIM: Kryptolus

Next message: Kurt Seifried: "Re: slocate bug."
Previous message: Aramis Orlando: "VIM Buffer Overflow"
In reply to: Sullo sq : "Re: Possible IDS-evasion technique"
Next in thread: Burak DAYIOGLU: "Re: Possible IDS-evasion technique"
Reply: Burak DAYIOGLU: "Re: Possible IDS-evasion technique"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 09:01:28 PST