On Mon, Jan 28, 2002 at 11:29:58PM +0100, Peter Bieringer wrote:
> Therefore I think *all* "looking for interesting text in TCP streams"
> or important) should take care about that this string can be splitted
> between 2 packets. Otherwise the probability of "not hit because of
> splitted" will be not zero.
yes, it should. But is it worth the extra effort??
> And this is imho a security issue. Think about e.g. (don't know, if
> ever possible, but) a special modified web server, which checks MTU
> and split candidates for filtering to do unwanted things...
In this case we are talking about NAT. it's not connection tracking.
> mho: netfilter is (or should/will be hopefully) a stateful inspection
> engine comparable to (or better: superseed) the current market leader
> of commercial firewalls...therefore splitting of text between TCP
> packets should always be catched and no issue for perhaps later
> possibilities of upcoming security issues.
I agree that in a perfect world we would cover those cases, yes.
Live long and prosper
- Harald Welte / laforge@xxxxxxxxxxxx http://www.gnumonks.org/
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)