Hi,
We use since a long time ago IPS technique in filtering inbound traffic and do
it by content inspection. However, we have noticed increasing rejections of
certain traffic due to dirty reply packet content and will consider ways to
issue automated notifications to certain actors on the Internet about weakness
in their presence.
The "dirty" traffic is generated by sites issuing HTTP redirect commands (HTTP
code 302). However, content filtering these packets do not work well in certail
cases due to improperly formatted HTTP packets. A possibility to define a rule
set would be:
a) accept packets with missing Content-Type and Content-Length: 0 (conforms
with RFC 2616 chapt 7.2.1). Not all IPS systems are capable to handle such
packets as desired, but Content-Type doesn't need to be investigated in this
case. We are trying to create rules for this situation in Microsoft ISA server.
b) automatically notify in some way the originating site about malformatted
HTTP packets in the situation when Content-Type is missing and the
Content-Length is a positive number. Does such a implementation exists for the
Microsoft ISA server and how should the notification recipient be identified
automatically?
c) Also, unknown/private Content-Type settings can be investigated and pointed
out automatically to the provider for correction when they cannot be identified
to be properly defined. Beside the IANA list there are also possibilities to
identify relatively common "well-known" private values.
Of course we do not want the IPS to "guess" the proper settings as Web readers
do by obvious security reasons although this possibility exists according to
RFC 2616 (obviously a possibility intended for Web readers, not security tools).
I would appreciate any comments in this matter!
Best regards
Axel Skough
Research & Development
Information Technology
Statistics Sweden
Box 24300
SE-10451 Stockholm
S W E D E N
Visitor's address:
Karlavägen 100, Stockholm, Sweden
E-mail: axel.skough@scb.se
Fax: +46 8 5069 4599
SMS: +46 70 577 1727
No rights may be derived from the contents of this e-mail message.
The information in this e-mail message is intended only for the addressee.
Statistics Sweden cannot vouch for the correctness and completeness of the
contents of e-mail messages, nor for the timely receipt thereof.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|