TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
61
expected. No other character is expected between \r and \n. This signature detects traffic that has a character, other than
\n, after \r, in the URI. Such traffic is generated to evade the IDS/IPS.
Signature ID: 351
Multiple requests in same packet vulnerability
Threat Level: Information
Signature Description: This is an anti IIPS evasion technique. HTTP 1.1 server supports persistent connection. Server
can serve many requests from a client with same connection.Normally browsers send separate requests in separate
packets.But an attacker can send more than one request in a single packet to evade IDS. Many IDS just check only the
first request in the packet. So attacker can send the real attack as the second or third request in the same packet to the
server by evading IDS.
Signature ID: 352
HTTP Request Session Splicing vulnerability
Threat Level: Information
Signature Description: Session splicing is a network-level anti-ID system tactic. Many raw ID systems, as well as some
smart ones, only scan for a particular signature within the current packet--signatures are not split up and checked across
multiple packets. Attacker exploits this by sending parts of the request in different packets. Note that this is not
fragmentation; it is just multiple packets for the data. For example, the request "GET / HTTP/1.0" may be split across
multiple packets to be "GE", "T ", "/", " H", "T", "TP", "/1", ".0".
Signature ID: 353
Encoded request vulnerability
Threat Level: Information
Signature Description: The classic trick with request encoding is to encode the request with it's escaped equivalent. The
HTTP protocol specifies that arbitrary binary characters can be passed within the request by using %xx notation, where
'xx' is the hex value of the character. In theory, the raw ID systems would fall prey to this, since the signature "cgi-bin"
does not match the string "%63%67%69%2d%62%69%6e". Also, in theory, the smart ID systems would be able to
plow past this, since they would decode the string similar to a web server before actually checking for a signature. In
reality, nowadays all worthwhile ID systems decode encoded requests, so this tactic is becoming obsolete.
Signature ID: 354
NULL Character in HTTP Request Line vulnerability
Threat Level: Information
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. HTTP header fields, which include general-header, request-header, response-header, and entity-
header fields, follow the same generic format as that given in RFC 822. The Request-Line begins with a method token,
followed by the Request-URI and the protocol version, and ending with CRLF. The elements are separated by space
(SP) characters. No CR or LF is allowed except in the final CRLF sequence. A general HTTP request should look like:
Method SP Request-URI SP HTTP-Version CRLF. This log corresponds to an anti IIPS evasion technique. Many C
string libraries use the NULL character to denote the end of the string. Most intrusion detection/prevention systems use
these libraries to match the incoming strings (patterns) with the stored signatures. Attacker can use this to her
advantage with the following type of request: GET\0/cgi-bin/some.cgi HTTP/1.0. The theoretical flow of this tactic
goes like: Web server receives request, separating the uri from the method. Web server decodes method and URI (or
vice-versa, maintaining a logically separate string containing the method). The method is still valid in and of itself, as a
string, to the web server, even with the trailing NULL. Few IDS, on the other hand, decodes the entire request and
attempts to apply string operations on the request. It stops once the NULL is reached, because intern it is calling C
library. The implication of this is that an attacker can send any URI (malicious) and even can bypass the IDS. The
administrator should check the web server log corresponding to this log.