The simple answer is because this mail would have never reached us and
likely will not reach many already.
CAT /ETC/PASSWD is also a perfectly valid Unix command on some systems
in all caps.
Do you think that this mail can be processed and confidently assured to
be safe?
william taft wrote:
On 7/26/05, Swift, David <[EMAIL PROTECTED]> wrote:
And how would you propose to block something you can't detect?
IPS actions are always on patterns of data, either packet level, or
based on anomalous behavior (statistical, historical, protocol...).
To argue otherwise is incomprehensible.
why -not- block something you can't understand? why are we giving up
on using tools other than firwewalls/IPS (i prefer 'layer 7 firewall'
to 'ips')? handshaking does exist beyond TCP...applications,
authentication protocols, etc. all have 'handshakes'. if you
authorize enough basic application traffic (i'll bet most of us use
only a handful of applications anyway), i think you'll probably close
many gaps. IPS/layer7 firewall isn't the answer, but something must
be out there for this purpose.
On 7/26/05, Swift, David <[EMAIL PROTECTED]> continues:
RDP is an allowed protocol to Windows. A Null Session is perfectly
legitimate to Windows operating system. CAT /ETC/PASSWD is a
perfectly valid Unix command.
you've lost me here...are you saying that just to jam a square
technology into a round role? you'd allow any access to /etc/passwd
from the outside into your DMZ? from a non-administrative workstation
to a server? i wouldn't. why not block traffic you're not supposed
to see? yes, block requests to /etc/passwd (and other naughty
actions) across all ports from the outside world into your dmz. why
wouldn't you?
/will
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
