i don't think this is a good idea - filtering packets based on arbitrary
strings that is.
after reading up on this vulnerability i can only assume you are using
neither apache nor iis as your server.
both of these have workable solutions.
i guess my first question is why not and my second question is how does this
vulnerability affect the vendor?
i am very interested in finding a solution to this as well.
thanks,
thor
----- Original Message -----
From: "Greg Schmidt" <slugmail@gschmidt.net>
To: <slug@nks.net>
Sent: Friday, August 08, 2003 22:39
Subject: [SLUG] Looking for a firewall
> Hi Slugs,
>
> I'm looking for some thing-a-ma-bob that can filter packets by an
> arbitrary string anywhere in the packet and then decide to drop it or
> forward it. At least I think that's what I want.
>
> I don't think a layer 3 firewall that only looks at the addresses and
> ports in the header will work. For this particular problem I need to
> block the HTTP method called TRACE. This is not the ICMP traceroute,
> tracert (DOS), or tracepath (IOS) used to identify the layer 3 hops
> between one machine and another. This is one of the 8 HTTP methods
> described in section 9 of RFC 2616, "Hypertext Transfer Protocol --
> HTTP/1.1" http://www.ietf.org/rfc/rfc2616.txt
>
> I'm looking to do it for an "appliance" box where the vendor doesn't
> take this CERT Vulnerability Note (VU#867593, "Multiple vendors' web
> servers enable HTTP TRACE method by default")
> http://www.kb.cert.org/vuls/id/867593 very seriously, but someone else
> who isn't exactly a PHB does.
>
> My thought was that I could search each packet for a string identifying
> it as an HTTP TRACE packet and drop it if it appears.
>
> I'm pretty sure I don't want a proxy. I'm certain I don't want a
> $20,000 layer 7 firewall solution. I'd like to do this with OSS, an old
> Pentium, and 2 NICs.
>
> Has anyone heard of some software that can do this?
>
> Thanks,
>
> Greg
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:20:04 EDT