Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network IPS, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection:
This signature detects 3-way handshake on port 80, followed by a non HTTP compliant request, followed by a non HTTP compliant response.
Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network IPS, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection: If a tunnelling application uses valid HTTP protocol to deliver content (in example, by using the POST method), then this this signature will not trigger.
Low
Proventia-G 1.1 and earlier: XPU 24.11, Proventia Network MFS: XPU 1.50, Proventia Server IPS for Linux technology: 1.0, Proventia Desktop: 8.0.614.8, Proventia Network IPS: XPU 1.50, BlackICE Agent for Server: 3.6eok, RealSecure Server Sensor: XPU 24.11, RealSecure Network: XPU 24.11, BlackICE PC Protection: 3.6cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cpa
Microsoft Windows 98, Novell NetWare, SCO SCO Unix, Microsoft Windows NT: 4.0, Data General DG/UX, SGI IRIX, Linux Kernel, Sun Solaris, WindRiver BSDOS, HP HP-UX, IBM AIX, IBM OS2, Microsoft Windows 95, Microsoft Windows Me, Cisco IOS, Microsoft Windows 98SE, Microsoft Windows 2000, Apple Mac OS, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server
Protocol Signature
HTTP (port 80) can be used to tunnel unwanted traffic through firewalls. A remote attacker could exploit this vulnerability to bypass the security of the firewall. Traffic on port 80 that is not HTTP compliant has been detected.
This event is for informational purposes only.
ISS X-Force
HTTP unknown protocol
http://www.iss.net/security_center/static/21259.php