On Thursday 25 March 2004 11:59, Joe Mott wrote: > I have been searching the archived lists without any success to have > the following question answered: > > Is netfilter capable of knowing when someone is crafting SMTP (or FTP > or HTTP or ...) packets that violate RFC rules to exploit a > vulnerability in some server? No, that is the job for some form of IDS, such as Snort. Whilst netfilter can look inside the contents of packets it can only do so on a packet by packet basis. An HTTP request, SMTP conversation (etc) is likely to be so large it spans multiple packets. When text wraps the boundary of one packet netfilter can no longer help, some form of reassembly is required before the "full" text can be read and taken into context. David
