INTRO
=====
This is a stupid piece of software that should help in detected inline IPS. It basically gets the home page of a web site and provide Flags, TTL, TCP windows size and IPID information.

HOWTO
=====

0. This program needs the following PERL modules to run
   - threads
   - threads::shared
   - Net::RawIP
   - LWP::UserAgent
If you miss some of them you will be provided the URL where to get them.

1. Command line

usage : ./http-ips-detect.pl    [port]

Looks self explanatory except the mode. Set as 0 the tool is just going to get the home page. This is useful to set a baseline. Set as 1 the tool will launch exploits. Differences between answers to legitimate and malicious URLs is one of the clue use to detect IPS.

Only one stupid exploit-like URL is implemented yet (/cmd.exe). If you want to add more edit the @TEST array of arrays. An exploit is an array with 3 fields : Name,URL,mode to be used with (0 baseline, 1 exploit).

DETECTING IPS
=============

IPS may behave at different network layers. But let's have an example.

>>>>>>>
[root@localhost progs]# ./http-ips-detect.pl eth0 10.0.0.101 0 80

+-----------------------------------+
:              Baseline             :
+-----------------------------------+
:            Network Level          :
+----+--------+-----+-------+-------+
: #  : flags  : ttl : ipid  :  win  :
+----+--------+-----+-------+-------:
:  1 : S.A... :  54 :     0 :  5792 : <- Probably Linux
:  2 : ..A... :  54 : 60559 :  5792 :
:  3 : ..A.P. :  54 : 60560 :  5792 :
:  4 : .FA... :  54 : 60561 :  5792 :
:  5 : ..A... :  54 : 60562 :  5792 :
+----+--------+-----+-------+-------:
+-----------------------------------+
:         Application Level         :
+--------+--------------------------+
: Server :        Microsoft-IIS/5.0 : <- Probably not...
: Code   :                      200 :
+--------+--------------------------+
+ htm    :                        1 :
+ html   :                        1 :
+--------+--------------------------+
<<<<<<<

ok, you've got it ? Another example.

>>>>>>>
[root@localhost progs]# ./http-ips-detect.pl eth0 10.0.0.104 1 80
+-----------------------------------+
:              Baseline             :
+-----------------------------------+
:            Network Level          :
+----+--------+-----+-------+-------+
: #  : flags  : ttl : ipid  :  win  :
+----+--------+-----+-------+-------:
:  1 : S.A... : 112 :  4449 : 17520 :
:  2 : .FA.P. : 112 :  4450 : 17411 :
:  3 : ..A... : 112 :  4451 : 17411 :
+----+--------+-----+-------+-------:
+-----------------------------------+
:         Application Level         :
+--------+--------------------------+
: Server :        Microsoft-IIS/5.0 :
: Code   :                      200 :
+--------+--------------------------+
+ htm    :                        1 :
+ html   :                        1 :
+--------+--------------------------+

+-----------------------------------+
:              CMD.EXE              :
+-----------------------------------+
:            Network Level          :
+----+--------+-----+-------+-------+
: #  : flags  : ttl : ipid  :  win  :
+----+--------+-----+-------+-------:
:  1 : S.A... : 112 :  4473 : 17520 : <- Probably 16 hops
:  2 : ...R.. :  49 :  3241 :     0 : <- Probably 15 hops
+----+--------+-----+-------+-------:
+-----------------------------------+
:         Application Level         :
+--------+--------------------------+
: Server :                      200 :
: Code   :                          :
+--------+--------------------------+
+--------+--------------------------+
<<<<<<<

Here the exploit has been blocked. However the IPS was nice enought to send a reset. So we know :
1. there is an IPS
2. it is one hop away from the server
Let's prepare some insertion tools to test its stateful capabilties... 

WHO
===
Renaud Bidou 
-> renaudb at radware.com
-> renaud.bidou at iv2-technologies.com