File: 1087.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (63 lines) | stat: -rw-r--r-- 1,345 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Rule:  

Sid:
1087

--

Summary:
This event is generated when an attempt is made to evade an IDS in a 
possible web attack by obfuscating the request with tabs.

--
Impact:
Unknown.

--
Detailed Information:
Some web servers (e.g., some versions of Apache) will interpret tabs
as spaces in web requests.  This is used by some tools (e.g., Whisker)
in an attempt to evade IDS systems.

--
Affected Systems:
	All systems running a web server

--
Attack Scenarios:
An attacker runs an automated tool, like Whisker, against a web server, or
runs an attack by hand with a URL similar to:  GET<tab>/<tab>HTML/1.0

--
Ease of Attack:
Simple. Automated tools are available.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Examine the packet to see if a web request was being made. Try to
determine what the requested item was (e.g., a file or CGI), and determine
from the web server's configuration whether it was a threat or not
(e.g., whether the requested file or CGI even existed or was vulnerable).

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Alex Kirk <alex.kirk@sourcefire.com>

--
Additional References:
Arachnids:  415
URL:  www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html

--