IDS mailing list archives
Re: Re: HTTP traffic
From: abhuyan () gmail com
Date: 2 Aug 2007 05:46:53 -0000
Yes, specially client-side based rules. It's always better to be bit exploit specific. On the server side, chances are less if you write vulnerability specific, or some tactics to prevent false positive. As abhi specified about the ms dos device name vulnerability, if we block just "com" will trigger FP for requests like "3com" , ".com", "common" etc. So you need to *think* how-to counter it, may be look for a space after 'com' or check no bytes follows after 'com', also keeping in mind various evasions tactics. HTH ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Re: HTTP traffic abhuyan (Aug 03)
- <Possible follow-ups>
- Re: Re: Re: HTTP traffic abhicc285 (Aug 07)
- Re: Re: Re: HTTP traffic hirosh (Aug 08)
- Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 08)
- Re: Re: Re: Re: HTTP traffic hirosh (Aug 09)
- Re: Re: Re: Re: HTTP traffic maverick . avi (Aug 09)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 09)
- Re: Re: Re: Re: HTTP traffic kroudo (Aug 09)
- Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
(Thread continues...)