Rule: 

--
Sid: 
119-10

-- 
Summary: 
This event is generated when the pre-processor http_inspect detects network traffic that may constitute an attack.

-- 
Impact: 
Unknown. This event may also constitute an attempt to evade an IDS.

--
Detailed Information:
This event is generated when the http_inspect pre-processor detects the use of directory traversal in a web request. This may be an attempt to escape the web root directory or it may be an attempt to evade an IDS.

This event can be controlled using the ((http_inspect)) configuration options.

--
Affected Systems:
Microsoft IIS Servers

--
Attack Scenarios: 
An attacker may supply a path to a file outside the web root by using "../" in the uri.

-- 
Ease of Attack: 
Simple.

-- 
False Positives:
This event may be generated if a web site uses "../" in links to other files on the site.

--
False Negatives:
None Known.

-- 

Corrective Action:
Check the target host for signs of compromise.

Apply any appropriate vendor supplied patches.

--
Contributors:
Daniel Roelker <droelker@sourcefire.com> 
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

HTTP IDS Evasions Revisited - Daniel Roelker
http://docs.idsresearch.org/http_ids_evasions.pdf

--
