Post Reply 
Catch Suspicious Extensions [January 11, 2009]
Feb. 13, 2009, 11:18 PM
Post: #19
RE: Catch Suspicious Extensions [January 11, 2009]
(Feb. 12, 2009 12:23 PM)lnminente Wrote:  I end my hijack, sorry Kye-U

Place this filter after the URL-Parser, rename it if needed
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "URL :I-0.1 Fixing uExt and uFile from Content-Disposition {ln}090130"
Match = "$IHDR(Content-Disposition: * filename=\1.(\w)\2 *)$SET(uFile=\1) $SET(uExt=\2) $TST(keyword=*.i_level\:[5].*)$LOG(C$DTM(c),I-0.1 Fixing uExt and uFile from Content-Disposition uFile=$GET(uFile) uExt=$GET(uExt))"

And the suspicious filters can be now resumed to only one filter
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "URL :I-3.3 URL-Killer: Catch Suspicious Extensions {ku,ln}090131 WIP"
URL = "(^$TST(ContentType=*text/(html|javascript)*))"
Match = "$TST(uExt=(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|      p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c),I-3.3 Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\u\n\nFile=$GET(uFile).$GET(uExt)\n)"
Replace = "\k"

lnminente,
Does this filter need to be fixed for the new sidki config file ..................... "! |||||||||||| URL :"
Charlie
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
RE: Catch Suspicious Extensions [April 21, 2008] - Guest - Aug. 27, 2008, 09:21 PM
RE: Catch Suspicious Extensions [January 11, 2009] - turtle - Feb. 13, 2009 11:18 PM

Forum Jump: