####################################################################################################
#
# test your IDS security against stealth scan 
# sample anti-ids rule
# rule by pilot
#
# reference
# A look at whisker's anti-IDS tactics by rain.forest.puppy
# thanks rfp 
#
###############################################################################################

# anti-ids 1  Method matching
200 OK-> HEAD :/cgi-bin/board.cgi  ^check board.cgi using HEAD;;

# anti-ids 2 url-encoding
200 OK-> GET :/%63%67%69%2d%62%69%6e/%74%65%73%74%2d%63%67%69 ^/cgi-bin/test.cgi url-encoding;;

200 OK-> HEAD :/ws_ftp%2eini ^ws_ftp.ini url-encoding 1;;
200 OK-> GET  :/%77s_ftp.ini ^ws_ftp.ini url-encoding 2;;
200 OK-> HEAD :/w%73_ftp.ini ^ws_ftp.ini url-encoding 3;;
200 OK-> HEAD :/ws%5fftp.ini ^ws_ftp.ini url-encoding 4;;
200 OK-> HEAD :/ws_%66tp.ini ^ws_ftp.ini url-encoding 5;;
200 OK-> HEAD :/ws_f%74p.ini ^ws_ftp.ini url-encoding 6;;
200 OK-> HEAD :/ws_ft%70.ini ^ws_ftp.ini url-encoding 7;;
200 OK-> HEAD :/ws_ftp.%69ni ^ws_ftp.ini url-encoding 8;;
200 OK-> HEAD :/ws_ftp.i%6ei ^ws_ftp.ini url-encoding 9;;
200 OK-> HEAD :/ws_ftp.in%69 ^ws_ftp.ini url-encoding 10;;

# anti-ids 3 Double slashes
200 OK-> GET ://cgi-bin//board.cgi^double slashes check;;

# anti-ids 4 Reverse traversal
200 OK-> HEAD :/cgi-bin/aaaaaa/../test.cgi^reverse traversal test;;

#anti-ids 5 Self-reference directories
200 OK-> GET :/./cgi-bin/./test.cgi^self-reference test;;

#anti-ids 6 long url
200 OK-> HEAD :/cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../test.cgi^long url;;
#anti-ids 7 Parameter hiding
200 OK-> GET :/index.php3ftable=test^parameter hiding test;;


#anti-ids 8 dos/windows parameter
200 OK-> HEAD :/cgi-bin\test.cgi^dos/windows parameter test;;

#anti-ids 9 null session
200 OK-> GET%00 :/cgi-bin/test.cgi^null session test;;

# anti-ids 10 Double back slashes
200 OK-> HEAD :/cgi-bin\\test.cgi^double back slashes test;;

#anti-ids 11 uppercase characters(windows)
200 OK-> HEAD :/cgi-bin/TEST.CGI^uppercase characters test;;

#anti-ids 12 triple back slashes
200 OK-> GET :/cgi-bin\\\test.cgi^triple back slashes test;;

#anti-ids 13 triple slashes
200 OK-> GET :/cgi-bin///test.cgi^triple slashes test;;

#anti-ids 14 double slashes and self-reference and url-encoding
200 OK-> GET :/./cgi-bin//test%20cgi^double slashes,self,url-encoding test;;

#anti-ids 15 more complex
200 OK-> GET :/.\/./cg%69-bin/./test%20cgi^more complex test.cgi check;;