Rule:  

--

Sid:
1171

--

Summary:
Someone attempted to bypass the IDS in a possible web attack by sending
an obfuscated request using HEAD.

--
Impact:
Someone may have run a reconnaissance tool like Whisker or an obfuscated
attack against a web server.

--
Detailed Information:
Some CGI attacks can be accomplished by using HEAD instead of GET.
This method can be used by an attacker to obfuscate attacks or
reconnaissance to bypass some IDS systems.  Tools such as Whisker can
be configured to do this.

--
Affected Systems:
 
--
Attack Scenarios:
An attacker runs an automated tool, like Whisker, or sends a hand-crafted
attack to a web server

--
Ease of Attack:
Automated tools (e.g., Whisker) exist and are available in the wild.

--
False Positives:
None Known
Very long legitimate HEAD requests.

--
False Negatives:
None Known

--
Corrective Action:
Examine the packet to determine what kind of attack or probe was launched.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
URL:  www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
