Snort Signature Information
Rule:
--
Sid:
119-2
--
Summary:
This event is generated when the pre-processor http_inspect detects network traffic that may constitute an attack.
--
Impact:
Unknown. This may be an attempt to evade an IDS.
--
Detailed Information:
This event is generated when double encoded characters are detected in web traffic. This is abnormal behavior and may be an indicator of a possible attack against a vulnerable system.
This may also be an attempt to evade an IDS.
Note: This pre-processor is designed to detect attacks aimed at servers, it needs to be configured to monitor for the servers being protected. Outbound client traffic may result in a high rate of false positive events.
This event can be controlled using the ((http_inspect)) configuration options.
--
Affected Systems:
Microsoft IIS Servers.
--
Attack Scenarios:
An attacker might double encode the request to the web server, this may then evade an IDS monitoring traffic and could then launch a successful attack without being detected.
--
Ease of Attack:
Simple. Exploits exist.
--
False Positives:
None Known.
--
False Negatives:
None Known.
--
Corrective Action:
Check the target host for signs of compromise.
Apply any appropriate vendor supplied patches.
Upgrade to the latest non-affected version of the software
Use Apache.
--
Contributors:
Daniel Roelker
Sourcefire Vulnerability Research Team
Nigel Houghton
--
Additional References:
HTTP IDS Evasions Revisited - Daniel Roelker
http://docs.idsresearch.org/http_ids_evasions.pdf
--
This site is run by the rootedyour.com team, publishing of the Snort SID information has been made available by permission from SourceFire.
Snort and Sourcefire are registered trademarks of SourceFire, Inc. All rights reserved.
--
Sid:
119-2
--
Summary:
This event is generated when the pre-processor http_inspect detects network traffic that may constitute an attack.
--
Impact:
Unknown. This may be an attempt to evade an IDS.
--
Detailed Information:
This event is generated when double encoded characters are detected in web traffic. This is abnormal behavior and may be an indicator of a possible attack against a vulnerable system.
This may also be an attempt to evade an IDS.
Note: This pre-processor is designed to detect attacks aimed at servers, it needs to be configured to monitor for the servers being protected. Outbound client traffic may result in a high rate of false positive events.
This event can be controlled using the ((http_inspect)) configuration options.
--
Affected Systems:
Microsoft IIS Servers.
--
Attack Scenarios:
An attacker might double encode the request to the web server, this may then evade an IDS monitoring traffic and could then launch a successful attack without being detected.
--
Ease of Attack:
Simple. Exploits exist.
--
False Positives:
None Known.
--
False Negatives:
None Known.
--
Corrective Action:
Check the target host for signs of compromise.
Apply any appropriate vendor supplied patches.
Upgrade to the latest non-affected version of the software
Use Apache.
--
Contributors:
Daniel Roelker
Sourcefire Vulnerability Research Team
Nigel Houghton
--
Additional References:
HTTP IDS Evasions Revisited - Daniel Roelker
http://docs.idsresearch.org/http_ids_evasions.pdf
--
Snort and Sourcefire are registered trademarks of SourceFire, Inc. All rights reserved.