Wow, I most certainly stand corrected. This area is relatively new to me. I spend much of my time teaching myself about computers. Networking hasn't been something I've gotten into much; I'm still learning, which is why I joined this mailing list--to learn more. I apologize for my noobish questions. regex wasn't my idea, as I don't know what it is. I am assuming that what I was describing is that. good day, A
----- Original Message ----- From: "Travis H." <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, September 29, 2005 1:56 AM Subject: Re: [pfSense-discussion] Payload inspection On 9/21/05, A Rossi <[EMAIL PROTECTED]> wrote: > I was thinking of payload inspection as a way to check to see if the payload > contains requested data (like HTML, or mp3 or whatever the user is > downloading) to make sure that it doesn't contain infected data (with a worm > or such) that is piggybacking on legitimate data. A couple of things. When malicious code attaches itself to other data, it's generally called a virus. When they transmit themselves autonomously, they're called worms. Secondly, how in the world would you know if returned information is "what the user requested"? Seems like the user makes a query, and data comes back, and there's no other source of information on which you could make a determination. For example, I do an HTTP request like this: GET /cgi-bin/whatever.pl HTTP/1.0 And in return I get a 5k ASCII document of MIME type text/plain. Is that what I requested? Seems like you're getting into mind-reading and "do what I mean, not what I say" territory here. And that's just HTTP. Packet-by-packet regex is a dumb idea, but I don't exactly see how it isn't "secure", apart from implementation errors (e.g. buffer overflow) and some DoS issues (both endemic to all network applications). It won't do what you want, but that's not really a security issue, as it's more of an expectation problem on the part of the people who request this. Given how much data crosses a firewall, I think a short pattern like ".mp3" would match far too many innocuous connections. Certain network operations would just fail in some way, and you would end up with a user base that started to blame your firewall for everything. If you want layer 7 inspection, and you want to do it right, don't use a layer 3 device, get an IDS/IPS. It's hard enough to do right at layer 7, and playing games at layer 3 will only give you a false sense of security. -- http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
