WE1&2

Advanced Topics –
Anti-IDS Techniques

•Not just anti-IDS – also anti-proxy, anti-app-firewall, etc.

–

–Using HTTP ‘HEAD’ method instead of ‘GET’

–URL Encoding the attack

–Using double slashes (//cgi-bin//script) – old technique

–Reverse traversing attacks /cgi-bin/blabla/../script.pl

–Self reference directories: /cgi-bin/./././script.pl

–Premature request ending : GET Premature request ending : GET /%20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n

–Hiding as parameters (encoding the ‘?’)


	Anti-IDS attacks are designed to sneak past IDS systems. IDS look for specific patterns or strings. It is easy to modify the attack string so that an IDS will not recognize an attack.

	The Premature request ending :
	Because some IDS’s do not look at the whole request but only until the HTTP /1.0, but the web server looks at the whole request, the IDS will be tricked to think that we are actually requesting GET / HTTP/1.0 but the web server will see the request: GET /%20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0 - Which contains 2 directories and then a traversal back up to the /cgi-bin directory