On Thursday 18 October 2007, Edson wrote:
I was thinking about this problem and I think that
combining this module
idea with the ones presented by Jiri could guide to an intermediary and
more flexible one.
Any sanitization task would be processed by a dedicated module. This module
could load as many 'sanitizations descriptions' as desired. Each
'sanitization description' could be a XML file (just to give an exemple)
and would take care of an especific language or language family. It could
describe signatures, or even include language syntax and semantics checks
(who knows what is really necessary?). This way, changing/improving the
descriptions with language specific sanitization knownledge would extended
the protection without the need of logical changes on the proxy script.
For sure even if the idea is easy to understand it's implementation is not
a trivial work. But is an idea... ;)
Perhaps it makes more sense to use an IDS for this job, which already has the
infrastructure present to search in the traffic and match against arbitrary
rules. It can alert or kill the connection if something against the policy is
detected.
Cheers,
Henning