Post Reply 
Catch Suspicious Extensions [January 11, 2009]
Jan. 12, 2009, 05:50 PM
Post: #12
RE: Catch Suspicious Extensions [January 11, 2009]
I like these filters Kye-U, many thanks for them Wink And now lets try to improve them Big Teeth

Analyzing the code of the first filter:
- "$URL(http://" is ftp covered by the other filter?
- *.(^([a-z]+{2,4})(^/))*. looking for a extension of only letters (no numbers) between 2 and 4 chars.

The detection of the extension gives false positives in links like http://host1/clear.gif?url=host2/
Example here:
I recomend some code like (\1\?*|\1) or using \p for taking the real extension and later test it

One modification for the first filter:
Match = "$SET(url=\p)$TST(url=*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|    p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"

And one question, now both filters are for incoming connections, why do we use 2 filters? Could we join them?
Add Thank You Quote this message in a reply
Post Reply 

Messages In This Thread
RE: Catch Suspicious Extensions [April 21, 2008] - Guest - Aug. 27, 2008, 09:21 PM
RE: Catch Suspicious Extensions [January 11, 2009] - lnminente - Jan. 12, 2009 05:50 PM

Forum Jump: