On Thu, 2004-09-30 at 06:39, Lazarakis, Dan wrote:
FYI only
I noticed on incidents.org that Judy Novak created some snort sigs the
other day (Spet 22) to detect malicious jpegs. I thought everyone
should know that the mime type/content type they look for is
'image/jp*'. But the world needs to be aware that "image/pjp*" is also
a valid mime type for jpegs. Matter of fact, I've been seeing a lot of
"image/pjpeg" files traversing our perimeter. Where this mime type
comes from is a mystery as it is not listed in some of the HTTP
resources I've searched. Rumor has it that Japanese IIS servers
generate this mime type, but as I said, it is rumor.
It is my considered opinion that any defencive measure based on MIME
types (or on file name/extensions) is fatally floored. Many products
(IE prominent amongst them) will figure out the type of a file
regardless of the MIME type or file name. Sigh...
Yes, this causes problems for things like snort and makes it much more
difficult to write effective rules that don't have lots of false
positives.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
