Snort mailing list archives
Re: flow_depth and WMF exploit
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 05 Jan 2006 16:31:55 +1300
purplebag wrote:
Bottom line is wrong tool for the job.
True. One thing we need to appreciate is that this "WMF exploit" is a *file exploit* - not a network one. *file exploits* are commonly called "viruses". So you need an antivirus solution to deal with them. i.e. Content filters - not NIDS. This is why virus.rules is disabled by default in snort. Although to reiterate what Frank said (and I mentioned over a year ago), the "Accept-Encoding: gzip" option supported by IE5.5+ and Mozilla-family basically turns all HTTP servers into HTTPS servers as far as NIDS are concerned - i.e. they cannot decode the stream in order to look within it. In fact, it's worse than HTTPS as you typically deal to HTTPS via the correct placements of reverse-proxies. Maybe we'll need to put *all* our HTTP servers behind souped-up reverse-proxies that can translate gzip (and the rest) too :-( [i.e. allow gzip to the clients, but deny it to the backend HTTP servers that the NIDS actually monitor] -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flow_depth and WMF exploit Jason Haar (Jan 03)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 04)
- Re: flow_depth and WMF exploit purplebag (Jan 04)
- Re: flow_depth and WMF exploit Jason Haar (Jan 04)
- Re: flow_depth and WMF exploit Matthew Watchinski (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Jason Haar (Jan 05)
- Re: flow_depth and WMF exploit purplebag (Jan 04)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 04)
- <Possible follow-ups>
- RE: flow_depth and WMF exploit Ron Jenkins (Jan 03)
- Re: flow_depth and WMF exploit Jason Haar (Jan 03)