On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote:
> > -----Original Message-----
> > From: Nathan Wallwork [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, September 09, 2003 1:18 PM
> >
> > On Mon, 8 Sep 2003, Drew Copley wrote:
> > > The only sure way to detect this, I already wrote about [to
> > Bugtraq].
> > > That is by setting a firewall rule which blocks the
> > dangerous mimetype
> > > string
> > > [Content-Type: application/hta]. Everything else in the
> > exploit can change.
> >
> > Just so we are clear, the firewall wouldn't tbe he right
> > place to catch
> > this because that string could be split by packet
> > fragmentation, so you'd
> > need to look for it at an application level, after the data stream
> > has been reassembled.
>
> Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a
> traditional term. Any IPS that does not handle fragmentation, though, has
> some serious problems.
s/fragmentation/fragmentation and TCP reassembly/
You'd need both, and they are different things.
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
