On Thursday 11 September 2003 16:22, Daniel Hartmeier wrote:
> Oh, the dreaded payload inspection / passing to userland for inspection
> topic. This is basically unrelated to syn proxying, of course you can
> combine both once you have both. But sneaking it through syn-proxy is
> unlogical ;)
The fact is that syn-proxy manages already two tcp connections.
I see 2 problems and they're on 2 different level:
1) tcp level: as Mike said advanced evasions tecniques have been discovered"
So we'll need something like Cedric "scrub tcp", that pass to the filter a
stream of definitive bytes.
2) application level filtering
how can syn-proxy talk to a userland program, maybe sharing a buffer ?
Any idea to solve these 2 problems ?
Ed
P.S. I would like to say that I do prefer the approach "how things should
work" instead of "how things works". This means that we should think how a
valid connection is built by a valid software and block the rest without
mercy. So, for example, if I receive the first packet of a request to tcp:80
that has only 3 bytes of payload I'll close that connection.
P.P.S. I'm subscribed to the list !
Please do not write me in cc every time ;-)
