Re: [fw-wiz] IPS Content filtering techniques


It is because some systems send informative responses indicating redirects (permanent or temporarily), HTTP code 301 or 302.

The ways these redirects are created vary strongly, sometimes a data buffer is given, but not always. The rediection directive is present in a HTTP header statement indicating alternate location.

Some implementations omits declaring the data buffer content as none is present, thus the content is left unknown. A content-filtering firewall therefore doesn't allow a HTTP packet with unknown data to pass - this is correct - BUT should be able to allow HTT packets with no data, i e, Content-Length: 0. In this situation the Content-Type argument can be properly excluded as stated in the RFC 2616 and we cannot therefore encourage the opinion that there should be some error in such a packet from its vendor!

Best regards,



From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of ArkanoiD
Sent: Thu 2007-08-23 00:47
To: Firewall Wizards Security Mailing List
Cc: Panahi Behzad U/IT-S
Subject: Re: [fw-wiz] IPS Content filtering techniques

Well, what's the purpose of getting those null data through?
Why do you need it?

On Wed, Aug 15, 2007 at 03:35:24PM +0200, Skough Axel U/IT-S wrote:

Does really nobody know anything about a Web proxy product filtering on MIME Content-Type setting and capable to omit this check when the MIME Content-Length setting in force appears to be zero? The RFC 2616 states that the Content-Type header statement can be omitted in this situation and, indeed, it has no meaning as the data section is declared to be of length zero.

Otherwise the data section should of course be in general be assumed to be of type "application/octet-stream" but when no data section is present it is obviously no problem in bypassing the Content-Type check! Thus, there are no data to prevent entering for in this situation, but the packet in force may have othre meanings such as redirect etc.

I would appreciate any comments in this matter!

firewall-wizards mailing list

firewall-wizards mailing list