[Discussion] Just one question
Will Metcalf
william.metcalf at gmail.com
Fri Mar 20 04:55:02 UTC 2009
oops, sorry had content-disposition on the brain today. I meant range
requests, so for example malware x gets installed outside of your
environment and a user brings it back into your environment. Twice a
day malware x checks for a new copy of itself but to avoid detection
by inline AV's and something like the md5hash checks you speak of it
pulls pieces of itself using range requests so almost like a download
manager. How/can you deal with content reconstruction across multiple
tcp sessions. I know inline AV scanners for the most part can't
properly deal with this, I was just wondering if bro could. Hopefully
that makes sense, I'm pretty sleepy at this point.... ;-)
Regards,
Will
On Thu, Mar 19, 2009 at 9:11 PM, Seth Hall <hall.692 at osu.edu> wrote:
>
> On Mar 19, 2009, at 7:19 PM, Will Metcalf wrote:
>
>> This is cool stuff. Can you guy's currently reconstruct downloads
>> that are offset from the end of the HTTP headers via
>> content-disposition? Just curious...
>
>
> I'm not sure I understand what you mean about the download being offset by
> the content-disposition header. As long as the body of the HTTP response is
> the content of the file then it should work. Maybe there's some
> functionality behind content-disposition I don't fully understand?
>
> .Seth
>
More information about the Discussion
mailing list