19 Sep
2001
19 Sep
'01
12:29
* Boris Lorenz;
You�re right, there�s no such thing like stateful inspection with ipchains, you should use snort as well if you want to tap into the flow of packets. The latest snortrules contain attack signatures for the Unicode exploit/cmd.exe, but you should be able to construct some default.ida-rules yourself. Writing snort rules is not too difficult and heavily documented. Just take a look at http://www.snort.org .
Though not with ipchains yet a) configure the webserver for another port ie 81 and using return-rst to reset port 80 requests b) better I think use hogwash http://hogwash.sourceforge.net HTH -- Togan Muftuoglu