Manualshelf

TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
60
by a colon (":) and the field value. It is possible to do a buffer overflow attack in the remote http server when some of
the header field is given a very long argument (line) in request. An attacker may use it to execute arbitrary code on the
host. This rule is triggered when some header line size in request exceed configured value.
Signature ID: 346
Detection of large number of request header lines
Threat Level: Critical
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. HTTP header fields, which include general-header, request-header, response-header, and entity-
header fields, follow the same generic format as that given in RFC 822. Each header field consists of a name followed
by a colon (":) and the field value. It is possible to do a buffer overflow attack in the remote http server when it is given
large number of request header lines in the request. An attacker may use it to execute arbitrary code on the host. This
rule is triggered when the number of header lines exceed configured value
Signature ID: 347
HTTP malformed Request detection
Threat Level: Information
Signature Description: This signature detects an IIPS evasion technique. According to the HTTP RFC, the v1.0 request
should be in the form - Method <space> URI <space> HTTP/ Version CRLF . As a result, many intelligent IDS/IPS
systems disect HTTP requests using <space> as a seperator. Apache 1.3.6 and newer allow HTTP requests in the form -
Method <tab> URI <tab> HTTP/ Version CRLF. Such a request will cause problems in parsing by an IDS/IPS system
assuming RFC based format.
Signature ID: 348
IDS evasion detection - NULL Character at the end of URI
Threat Level: Information
Signature Description: This signature detects an IIPS evasion technique. Many C string libraries use the NULL
character to denote the end of the string. Most Intrusion Detection systems use these libraries or assume the same. An
attacker can use this to evade the system with the following type of request:GET /cgi-bin/some.cgi\0 HTTP/1.0. As
many IDS/IPS try to parse the entire packet, they will stop at the null byte, ignoring the rest of the request. The HTTP
server on the other hand maintains each field in the request packet as a logically separate field. As a result, a NULL
byte at the end of the URI is treated as the termination of the URI. Other fields are decoded separately.
Signature ID: 349
HTTP v0.9 Syntax Request detection
Threat Level: Information
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. The current HTTP version is 1.0 or 1.1. The older version 0.9 is not used by most of the
server/clients. But there may be servers that supports HTTP version 0.9 also. The syntax for HTTP request for version
0.9 is <method><space><uri><CRLF>. This syntax is different from that of version 1.0 and 1.1. Therefore, using old
syntax sometimes helps attackers to evade a modern IDS/IPS as such devices parse the URI according to version 1.0 or
1.1 and fail to detect the anomaly in case of version 0.9 HTTP request.
Signature ID: 350
HTTP Request Format Anomaly detection
Threat Level: Information
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. A general HTTP request should be of the form - <Method uri [version]\r\n>. After \r, \n is