GEN:SID 1:1087
Message WEB-MISC whisker tab splice attack
Summary This event is generated when an attempt is made to evade an IDS in a
possible web attack by obfuscating the request with tabs.
Impact Unknown.
Detailed Information Some web servers (e.g., some versions of Apache) will interpret tabs
as spaces in web requests.  This is used by some tools (e.g., Whisker)
in an attempt to evade IDS systems.
Affected Systems All systems running a web server
Attack Scenarios An attacker runs an automated tool, like Whisker, against a web server, or
runs an attack by hand with a URL similar to:  GET<tab>/<tab>HTML/1.0
Ease of Attack Simple. Automated tools are available.
Corrective Action Examine the packet to see if a web request was being made. Try to
determine what the requested item was (e.g., a file or CGI), and determine
from the web server's configuration whether it was a threat or not
(e.g., whether the requested file or CGI even existed or was vulnerable).
Additional References Arachnids:  415
URL:  www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
Rule References arachnids: 415
url: www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html