String matching.
Tzafrir Cohen
tzafrir@technion.ac.il
Wed, 30 Jan 2002 22:54:41 +0200 (IST)
On Wed, 30 Jan 2002, Daniel F. Chief Security Engineer - wrote:
> Im about to implement string matching. And was curious as to what other
> people are blocking with string macthing like code red stuff (cdm.exe or
> default.ida). I would like to complie a list and then I could send the whole
> list on one mail back to the list.
I'm just curious:
Isn't packet filtering a bit lower level for such blocking?
How could you tell this from a web page that happens to contain:
GET /<SOME PATH>/cmd.exe[etc.]
(e.g: the archives of this mailing list, had I bothered writing something
more accurate?
Wouldn't this be better done in an application-level proxy?
The problem is error-reporting: Imagine you trying to view this web page:
a connection starts OK, but then disconnects for no aparent reason. No
matter how many retransmissions, your system tries: the connection will be
cut in the middle. (the way I understand it). You will get no error
message of the cause for this problem. A filtering proxy (if happened to
reject a page) would have replaced it with a proper error message to the
client.
--
Tzafrir Cohen /"\
mailto:tzafrir@technion.ac.il \ / ASCII Ribbon Campaign
Taub 229, 972-4-829-3942, X Against HTML Mail
http://www.technion.ac.il/~tzafrir / \