Rule:  
--

Sid:
1087

--

Summary:
Someone attempted to bypass the IDS in a possible web attack by obfuscating
the request with tabs.

--
Impact:
Someone may have run a reconnaissance tool like Whisker or an obfuscated
attack against a web server.

--
Detailed Information:
Some web servers (e.g., some versions of Apache) will interpret tabs
as spaces in web requests.  This is used by some tools (e.g., Whisker)
and attackers to bypass some IDS systems.

--
Affected Systems:
 
--
Attack Scenarios:
An attacker runs an automated tool, like Whisker, against a web server, or
runs an attack by hand with a URL similar to:  GET<tab>/<tab>HTML/1.0

--
Ease of Attack:
Automated tools (e.g., Whisker) exist and are available in the wild.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Examine the packet to see if a web request was being done.  Try to
determine what the requested item was (e.g., a file or CGI), and determine
from the web server's configuration whether it was a threat or not
(e.g., whether the requested file or CGI even existed or was vulnerable).

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
Arachnids:  415
URL:  www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
