Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC whisker tab splice attack"; dsize: <5; flags: A+; content: "|09|"; reference:arachnids,415; classtype:attempted-recon; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; sid:1087; rev:3;)
--

Sid:
1087

--

Summary:
Someone attempted to bypass the IDS in a possible web attack by obfuscating
the request with tabs.

--
Impact:
Someone may have run a reconnaissance tool like Whisker or an obfuscated
attack against a web server.

--
Detailed Information:
Some web servers (e.g., some versions of Apache) will interpret tabs
as spaces in web requests.  This is used by some tools (e.g., Whisker)
and attackers to bypass some IDS systems.

--
Attack Scenarios:
An attacker runs an automated tool, like Whisker, against a web server, or
runs an attack by hand with a URL similar to:  GET<tab>/<tab>HTML/1.0

--
Ease of Attack:
Automated tools (e.g., Whisker) exist and are available in the wild.

--
False Positives:

--
False Negatives:

--
Corrective Action:
Examine the packet to see if a web request was being done.  Try to
determine what the requested item was (e.g., a file or CGI), and determine
from the web server's configuration whether it was a threat or not
(e.g., whether the requested file or CGI even existed or was vulnerable).

--
Contributors:

--
Additional References:
Arachnids:  415
URL:  www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
