File: 119-3.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (70 lines) | stat: -rw-r--r-- 1,313 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Rule: 

--
Sid: 
119-3

-- 
Summary: 
This event is generated when the pre-processor http_inspect
detects network traffic that may constitute an attack.

-- 

Impact: 
Unknown. This may be an attempt to evade an IDS.

--
Detailed Information:
This event is generated when Unicode characters are present in a request
sent to a web server. This may indicate an attempt to evade an IDS in an
attempted attack against the server.

No known browsers use unicode encoding, it is likely that this event
indicates a malicious request.

--
Affected Systems:
	Microsoft IIS Servers.

--

Attack Scenarios: 
An attacker might encode the malicious request to the web server using
Unicode characters, this may then evade an IDS monitoring traffic and 
he could then launch a successful attack without being detected.

-- 

Ease of Attack: 
Simple. Exploits exist.

-- 

False Positives:
None Known.

--
False Negatives:
None Known.

-- 

Corrective Action:
Check the target host for signs of compromise.

Apply any appropriate vendor supplied patches.

--
Contributors:
Daniel Roelker <droelker@sourcefire.com> 
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

HTTP IDS Evasions Revisited - Daniel Roelker
http://docs.idsresearch.org/http_ids_evasions.pdf

--