Sunday, April 3, 2011

Basic way to test an IPS via Windows CLI

Telnet to a webserver behind the IPS and execute the command,

GET ../../etc/passwd HTTP/1.0      

Yo will see the HTTP_GET_Malformed signature triggered at SiteProtector

Also you can use this technique at pentests, it gives you to discover if there is an IPS or not.
Open a WireShark and examine the return packets, if you see RST packets or connection time-outs you can be sure that the IPS is active.

Steps are simple, Can be used for any IPS vendor.

Cagdas Ulucan