Hosting Provided By

Re: [LoWNOISE] IDS-HTTP

From: Gianni Tedesco <gianni(at)scaramanga.co.uk>
Date: Fri Jul 11 2003 - 16:36:53 EDT

On Fri, 2003-07-11 at 19:07, et@cyberspace.org wrote:
> The reason why i did a prototype is because i had to modify the internal

Yes, that is a limitation, the new acl_helper approach in squid 2.5 is somewhat better than the old redirectors because you can get arbitrary headers (once you know which ones you are looking for that is). True it is far from perfect, and it would certainly be very useful to see the POST data for forms. That too has room for evasion techniques and would probably require normalization of of some sort (at least be decoded).

However, for a simple signature matching IDS/filter, you can glean a lot just from the URL/method/couple of headers and I can think of few attacks that wouldn't have some kind of identifiable pattern in there.

That said, imagine trying to reliably catch exploits in the transfer encoding and request footers, and all the other crazy parts of the HTTP protocol. I'm not even sure what squid does with chunked encodings and the like, it probably passes them straight through. A totally comprehensive solution would have to handle all of the protocol decode I guess.

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

application/pgp-signature attachment: This is a digitally signed message part

Received on Mon Jul 14 19:43:13 2003

This message: [ Message body ]
Next message: SB CH: "auto-response IDS againt port-scanning or attacked ip?"
In reply to et(at)cyberspace.org: "[LoWNOISE] IDS-HTTP"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT

Do you need help?