Re: BAD NEWS: Microsoft Security Bulletin MS03-032
On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote:
> > -----Original Message-----
> > From: Nathan Wallwork [mailto:owen@xxxxxxxxxxx]
> > Sent: Tuesday, September 09, 2003 1:18 PM
> >
> > On Mon, 8 Sep 2003, Drew Copley wrote:
> > > The only sure way to detect this, I already wrote about [to
> > Bugtraq].
> > > That is by setting a firewall rule which blocks the
> > dangerous mimetype
> > > string
> > > [Content-Type: application/hta]. Everything else in the
> > exploit can change.
> >
> > Just so we are clear, the firewall wouldn't tbe he right
> > place to catch
> > this because that string could be split by packet
> > fragmentation, so you'd
> > need to look for it at an application level, after the data stream
> > has been reassembled.
>
> Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a
> traditional term. Any IPS that does not handle fragmentation, though, has
> some serious problems.
s/fragmentation/fragmentation and TCP reassembly/
You'd need both, and they are different things.
--
Crist J. Clark | cjclark@xxxxxxxxxxxx
| cjclark@xxxxxxx
http://people.freebsd.org/~cjc/ | cjc@xxxxxxxxxxx