[Snort-devel] http_gunzip preprocessor

Eric Lauzon eric.lauzon at ...1967...
Tue Jan 3 08:08:03 EST 2006


As of this matter being exposed , i wonder where to draw the line betwen
NIDS and HIDS.
Personaly I wouldn't go there with a NIDS. 

Why you might ask your self , well there is many reasons ,the first one
is 
the scope of what you are trying to protect. Unless the monitored Server

farm allow some users interaction to the outside world , those kind of
problems shouldn't arrise since basic policy should deny any web
browsing from those servers sure they can be other vector but lets just
start with this one.

Now that we have gziped payload , what about HTTPS tunnel? Where is our
HTTPS MITM preprocessor ;).

Then you might have to think arround and see how many HTTP problems can
be solved by using proxy [also this little HTTPS problem ;)].



More information about the Snort-devel mailing list