On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote: > > -----Original Message----- > > From: Nathan Wallwork [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, September 09, 2003 1:18 PM > > > > On Mon, 8 Sep 2003, Drew Copley wrote: > > > The only sure way to detect this, I already wrote about [to > > Bugtraq]. > > > That is by setting a firewall rule which blocks the > > dangerous mimetype > > > string > > > [Content-Type: application/hta]. Everything else in the > > exploit can change. > > > > Just so we are clear, the firewall wouldn't tbe he right > > place to catch > > this because that string could be split by packet > > fragmentation, so you'd > > need to look for it at an application level, after the data stream > > has been reassembled. > > Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a > traditional term. Any IPS that does not handle fragmentation, though, has > some serious problems.
s/fragmentation/fragmentation and TCP reassembly/ You'd need both, and they are different things. -- Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html