Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1139 |
Message | WEB-MISC whisker HEAD/./ |
Summary | This event is generated when an attempt is made to evade an IDS in a possible web attack by sending an obfuscated request. |
Impact | Unknown. |
Detailed Information | Some CGI attacks can be accomplished by using HEAD instead of GET. Additionally, some web servers will interpret "/./" as simply "/". An attacker might try to combine these methods in an attempt to obfuscate an attack or during the reconnaissance phase of a penetration attempt in order to bypass an IDS. |
Affected Systems | All Web Servers. |
Attack Scenarios | An attacker may use an automated tool, like Whisker, to obfuscate an attack. |
Ease of Attack | Simple. Exploit scripts and tools are widely available. |
Corrective Action | Examine the host for signs of compromise. |
Additional References | |
Rule References | url: www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html |
--
DID:514298
--
http://www.aanval.com/