|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [ISSForum] Signature availability questions
From: Gary Flynn (flynngn
jmu.edu)
Date: Wed Jan 14 2004 - 17:46:31 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Robert Graham wrote:
> --- Gary Flynn <flynngnjmu.edu> wrote:
>
>>1. Is there a signature to detect an HTTP response with a
>> content-type of application/hta in any of the network
>> sensor products?
>
> We've added the signature for the next XPU.
>
> Unfortunately, the signature will trigger false-positives if somebody is
> actually using HTA (HTML applications) within their intranets.
That is OK. I'm interested in implementing it at the Internet
border.
>>2. I notice there is a signature for the Windows RPC Messenger
>> overflow but I suspect it is for requests going through the
>> mapper on port 135. Can anyone confirm this and/or point out
>> a signature for direct Messenger traffic connections to high
>> UDP ports?
>
> We trigger correctly on high ports.
You just made my day. Thanks!
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]