Re: Possible IDS-evasion technique

From: Burak DAYIOGLU (dayiogluat_private)
Date: Wed Feb 27 2002 - 02:41:19 PST

Next message: 3APA3A: "Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)"

Previous message: Jim Kovalchuk: "Re: Quick SNMP Payload Structure Question"
In reply to: Vadim Berezniker: "Re: Possible IDS-evasion technique"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vadim Berezniker wrote:

> Try sending HTTP/239.73, and Apache (and probably others) will still 
> respond.
> I believe they just respond to it as if it was a 1.1 request.
> I don't know what it does when you specify something like 0.1

This, one again, shows that keeping applications/systems and NIDS's in 
sync is a
difficult and almost impossible. A perfect NIDS does not only have to 
know the
-correct- protocol behavior but also the -broken but popular- behaviors 
as well.

-- 
Burak DAYIOGLU
Phone: +90 312 2103379      Fax: +90 312 2103333
http://www.dayioglu.net        ICQ UIN: 72276975

Next message: 3APA3A: "Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)"
Previous message: Jim Kovalchuk: "Re: Quick SNMP Payload Structure Question"
In reply to: Vadim Berezniker: "Re: Possible IDS-evasion technique"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 17:10:25 PST