Disclaimer

SNORTID
Enter a Snort ID to lookup (e.g 1:269)

"Snort" is a registered trademark of Sourcefire, Inc.

Site owned and maintained by Liam Somerville

©2009 SnortID.com - Developed by Cook Computing

Search String: 119:4

N.B.: Maximum of 50 results are displayed

SidSummaryImpact Detailed InformationAffected SystemsAttack ScenariosEase of AttackFalse PositiveFalse Negative Corrective ActionContributorsAdditional References
119:4 This event is generated when the pre-processor http_inspect detects network traffic that may constitute an attack. Unknown. This may be an attempt to evade an IDS. Microsoft IIS servers are able to use non-ASCII characters as values when decoding UTF-8 values. This is non-standard behavior for a webserver and violates RFC recommendations. All non-ASCII values should be encoded with a %. This event may indicate an attack against a web server or at the least an attempt to evade an IDS. No web clients encode UTF-8 characters in this way. This is most likely a malicious request. This event can be controlled using the ((http_inspect)) configuration options. All Microsoft IIS servers An attacker merely needs to encode a web request using this non-standard format. Simple. Many exploits exist. None Known. None Known. Check the target host for signs of compromise. Apply any appropriate vendor supplied patches. Daniel Roelker Sourcefire Vulnerability Research Team Nigel Houghton HTTP IDS Evasions Revisited - Daniel Roelker
http://docs.idsresearch.org/http_ids_evasions.pdf