Preface: HTTP field with binaryLogo -Internet Security Systems

HTTP field with binary
advICE :Intrusions : 2000646
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Suspicious content was sent to the target HTTP server.

Details

This is a "heuristic" signature. It doesn't detect a specific known exploit, but instead detects suspicious data sent across an HTTP connection. In most cases when you see this signature trigger, you will also see other events (such as IIS .printer overflow).

There are two common reasons why an attack may trigger this alert. The first is the traditional buffer overflow or format string attack. This field itself may be the attack.

The other reason is that this field may be holding executable code for use with a buffer-overflow or format-string attack in some other part of the HTTP header (other header fields, the URL, or the data field). This technique allows a relatively small buffer-overflow exploit to contain large amounts of program source code, creating a more severe attack. For example, most attacks against Microsoft's web-server run with "user" privileges. This increased payload might contain a secondary attack designed to elevate to "administrator" privileges, gaining complete control over the machine.

Trigger

This alert triggers when a "large" field contains "several" binary characters. The threshold that describes how many characters are needed to make a "large" field is the configuration parameter "http.binary.fieldlength". The threshold that defines how many characters are "several" is controlled by the configuration "http.binary.count".

 more information
False positives  

This is a new signature added to the system. Because this is a "heuristic" rather than identifying a known attack, we think it is possible some customers may see this trigger in normal environments.   

 
Version appeared: 2.5
Privacy Policy |  Copyright Info