Re: [mod-security-users] core rules
Brought to you by:
victorhora,
zimmerletw
From: <chr...@po...> - 2008-07-14 07:16:31
|
________________________________ Von: Brian Rectanus [mailto:Bri...@br...] Gesendet: Montag, 14. Juli 2008 09:08 An: Folini Christian, IT222 extern Cc: mod...@li... Betreff: Re: [mod-security-users] core rules > You mean send it as more than one packet? Yes, exactly. I am not a network guy at all, but I assume the server would have to send the ACK to this package without knowing the remaining header lines. Or is it technically possible to keep the ACK back until the remaining package(s) have arrived? > Not possible from userspace unless you have hooked > into the TCP stack (Marty mentioned some ways on Linux). > The server will ACK the packet so the client will keep > sending (no ACK will cause a re-transmit). Also, the OS > will not necessarily send the layer 7 data to the app in > the same sizes as the packet data (buffers). To the app > it is just a stream of data and there is no way to tell > which data came from which packet. For ModSecurity, > Apache will not hand it the phase:1 data until the entire > HTTP header arrives. So, what I gave was a bare minimum. > It could be hundreds of packets and hundreds of ACKs > (ie send one byte per packet, or even zero bytes per packet). > You may be able to glean more passive TCP stack > fingerprinting from this, but the HTTP request will *still not be processed*. That's exactly how I thought things work out on the practical level. Thanks. Christian |