Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1139 |
| Message | WEB-MISC whisker HEAD/./ |
| Summary | This event is generated when an attempt is made to evade an IDS in a possible web attack by sending an obfuscated request. |
| Impact | Unknown. |
| Detailed Information | Some CGI attacks can be accomplished by using HEAD instead of GET. Additionally, some web servers will interpret "/./" as simply "/". An attacker might try to combine these methods in an attempt to obfuscate an attack or during the reconnaissance phase of a penetration attempt in order to bypass an IDS. |
| Affected Systems | All Web Servers. |
| Attack Scenarios | An attacker may use an automated tool, like Whisker, to obfuscate an attack. |
| Ease of Attack | Simple. Exploit scripts and tools are widely available. |
| Corrective Action | Examine the host for signs of compromise. |
| Additional References | |
| Rule References | url: www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html |
--
DID:514298
--
http://www.aanval.com/