| 119:2 |
This event is generated when the pre-processor http_inspect detects network traffic that may constitute an attack.
|
Unknown. This may be an attempt to evade an IDS.
|
This event is generated when double encoded characters are detected in web traffic. This is abnormal behavior and may be an indicator of a possible attack against a vulnerable system.
This may also be an attempt to evade an IDS.
Note: This pre-processor is designed to detect attacks aimed at servers, it needs to be configured to monitor for the servers being protected. Outbound client traffic may result in a high rate of false positive events.
This event can be controlled using the ((http_inspect)) configuration options.
|
Microsoft IIS Servers.
|
An attacker might double encode the request to the web server, this may then evade an IDS monitoring traffic and could then launch a successful attack without being detected.
|
Simple. Exploits exist.
|
None Known.
|
None Known.
|
Check the target host for signs of compromise.
Apply any appropriate vendor supplied patches.
Upgrade to the latest non-affected version of the software
Use Apache.
|
Daniel Roelker
Sourcefire Vulnerability Research Team
Nigel Houghton
|
HTTP IDS Evasions Revisited - Daniel Roelker
http://docs.idsresearch.org/http_ids_evasions.pdf
|
