you forget that HTTP is stateless protocol. after one GET you will be disconnected.
Oleg. ----- Original Message ----- From: "Official Flamer/Cabal NON-Leader" <[EMAIL PROTECTED]> To: "Guy Cohen" <[EMAIL PROTECTED]> Cc: "Official Flamer/Cabal NON-Leader" <[EMAIL PROTECTED]>; "My Own Private List" <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 10:24 PM Subject: Re: ipchains --string on http > Quoth Guy Cohen: > > > yes, but why netfilter transfers the connection to apache in the first > > place? > > Do it manually ;-)... > ---cuttez---dicez---removez---slicez---ambutez---choppez--- > telnet foo.bar.com 80 > GET / > > GET /zumbu.html > > GET /root.exe/uweriwurhiwu?39804759834579suhfksdfhksjdf/389457983457w4rklsdj > > GET / > > GET /zumbu.html > ---cuttez---dicez---removez---slicez---ambutez---choppez--- > Of the above, ONE is a connexion, FOUR are legal requests and ONE is an > attack. Six "transactions" in all. What should netfilter do? Scrap ALL > six? Scrap only one? It does not know in advance that a legal connexion > to port 80 is going to be followed by an attack... > > So - the connexion IS established, the DATA in the subsequent data > stream gets dropped by netfilter. So - a LEGAL, WORKING connexion is > kept idle, until apache junks it. Nothing to do with netfilter, per se. > > M > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
