[Snort-devel] http_gunzip preprocessor

Eric Lauzon eric.lauzon at ...1967...
Thu Jan 5 10:48:15 EST 2006


> -----Original Message-----
> From: Frank Knobbe [mailto:frank at ...2134...] 
> Sent: 5 janvier 2006 13:34
> To: Eric Lauzon
> Cc: snort-devel at lists.sourceforge.net
> Subject: RE: [Snort-devel] http_gunzip preprocessor
> 
> On Thu, 2006-01-05 at 12:52 -0500, Eric Lauzon wrote:
> > Think about javascript emulation, html(base64 decoding), uudecode , 
> > cache (dns poisoning and xss[cross zone] detection), SSL MITM for 
> > encrypted stream inspection
> 
> I thought I said that earlier. I'm not after content 
> screening. And please stop bringing up SSL and such.

And you still think gzip decoding is not overhead. I am sorry but SSL
is part of the issue two.

As for proxy ,it does not serve only as content screening , it can be
used as a protocol
chokepoint for HTTP/HTTPS , which can help alot when building network
policies.

> 
> > [...] you need to have
> > a product or opensource components that will be built for 
> the purpose 
> > , dont think you can have your IDS do the everything everytime.
> 
> *sigh*  I was under the impressions that IDSes are used to 
> detect intrusions. I'm not trying to misuse it as a content 
> screen which you have been trying to imply.

Yhea but to detect intrusion there is other mean than using an NIDS.

> 
> Could we please keep the devel list focused on the technical 
> aspects and not abuse it for misguided evangelism?
> 

Im still sure of the points i bring as you are for yours, idea pot , 
if you feel im wrong prove me otherwise but im still thinking
that there is alot of client side rules that are just useless
piece of ruleset that could be removed since they are really easy to
evade and it bring
a false security feeling that is in my book far more dangerous than not
having them
and using the good counter measure [for the normal user].


As for keeping technical frank , pass on we all dont want to go there or
if you
want to say something ..got my mail .

-elz




More information about the Snort-devel mailing list