File: 1171.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (58 lines) | stat: -rw-r--r-- 990 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Rule:  

Sid:
1171

--

Summary:
This event is generated when an attempt is made to evade an
IDS in a possible web attack by sending an obfuscated request 
using HEAD.

--
Impact:
Unknown.

--
Detailed Information:
Some CGI attacks can be accomplished by using HEAD instead of GET.
This method can be used by an attacker to obfuscate attacks or
reconnaissance in an attempt to evade IDS systems.

--
Affected Systems:
	All systems running a web server.
 
--
Attack Scenarios:
An attacker runs an automated tool, like Whisker, or sends a hand-crafted
attack to a web server

--
Ease of Attack:
Simple. Automated tools are available.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Examine the packet to determine what kind of attack or probe was launched.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--