Re: flow_depth and WMF exploit

[Jason Haar <Jason.Haar () trimble co nz>]

purplebag wrote:
> Bottom line is wrong tool for the job.
>   
True.

One thing we need to appreciate is that this "WMF exploit" is a *file
exploit* - not a network one.

*file exploits* are commonly called "viruses". So you need an antivirus
solution to deal with them. i.e. Content filters - not NIDS. This is why
virus.rules is disabled by default in snort.

Although to reiterate what Frank said (and I mentioned over a year ago),
the "Accept-Encoding: gzip" option supported by IE5.5+ and
Mozilla-family basically turns all HTTP servers into HTTPS servers as
far as NIDS are concerned - i.e. they cannot decode the stream in order
to look within it. In fact, it's worse than HTTPS as you typically deal
to HTTPS via the correct placements of reverse-proxies.

Maybe we'll need to put *all* our HTTP servers behind souped-up
reverse-proxies that can translate gzip (and the rest) too :-( [i.e.
allow gzip to the clients, but deny it to the backend HTTP servers that
the NIDS actually monitor]


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users