On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote: > > -----Original Message----- > > From: Nathan Wallwork [mailto:owen@pungent.org] > > Sent: Tuesday, September 09, 2003 1:18 PM > > > > On Mon, 8 Sep 2003, Drew Copley wrote: > > > The only sure way to detect this, I already wrote about [to > > Bugtraq]. > > > That is by setting a firewall rule which blocks the > > dangerous mimetype > > > string > > > [Content-Type: application/hta]. Everything else in the > > exploit can change. > > > > Just so we are clear, the firewall wouldn't tbe he right > > place to catch > > this because that string could be split by packet > > fragmentation, so you'd > > need to look for it at an application level, after the data stream > > has been reassembled. > > Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a > traditional term. Any IPS that does not handle fragmentation, though, has > some serious problems. s/fragmentation/fragmentation and TCP reassembly/ You'd need both, and they are different things. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
