Telnet to a webserver behind the IPS and execute the command,
GET ../../etc/passwd HTTP/1.0
Yo will see the HTTP_GET_Malformed signature triggered at SiteProtector
Also you can use this technique at pentests, it gives you to discover if there is an IPS or not.
Open a WireShark and examine the return packets, if you see RST packets or connection time-outs you can be sure that the IPS is active.
Steps are simple, Can be used for any IPS vendor.
Cagdas Ulucan
