Signature Detail

Short Name	HTTP:IIS:ENCODING:SINGLE-DIG-2
Severity	Medium
Recommended	Yes
Recommended Action	Drop
Category	HTTP
Keywords	IIS IDS evasion url encoding
Release Date	2005/03/17
Update Number	1213
Supported Platforms	di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: IIS Single Encoding (2)

This signature detects a single digit encoded in a URL. Microsoft Internet Information Services (IIS) uses special techniques to decode URLs. Attackers can be attempting to exploit these IIS techniques to evade detection by IDP.

Extended Description

An HTTP request in which the Unicode-encoded forms of the "/" or "\" delimiter characters exist in a requested URL constitutes a protocol anomaly. The condition could be the result of a software error, or it could indicate malicious activity involving intentional transmission of Unicode-encoded delimiter strings is underway.

References

URL: http://www.idsresearch.org/http_evasions.html

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

HTTP: IIS Single Encoding (2)

Extended Description

References