IDS mailing list archives

Re: Re: HTTP traffic

From: abhuyan () gmail com
Date: 2 Aug 2007 05:46:53 -0000

Yes, specially client-side based rules. It's always better to be bit exploit specific. On the server side, chances are 
less if you write vulnerability specific, or some tactics to prevent false positive.
As abhi specified about the ms dos device name vulnerability, if we block just "com" will trigger FP for requests like 
"3com" , ".com", "common" etc. So you need to *think* how-to counter it, may be look for a space after 'com' or check 
no bytes follows after 'com', also keeping in mind various evasions tactics.
HTH

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Re: HTTP traffic abhuyan (Aug 03)
- <Possible follow-ups>
- Re: Re: Re: HTTP traffic abhicc285 (Aug 07)
- Re: Re: Re: HTTP traffic hirosh (Aug 08)
  - Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 08)
- Re: Re: Re: Re: HTTP traffic hirosh (Aug 09)
- Re: Re: Re: Re: HTTP traffic maverick . avi (Aug 09)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 09)
- Re: Re: Re: Re: HTTP traffic kroudo (Aug 09)
  - Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)

(Thread continues...)