1
Security / Security/Malicious code filters?
« on: July 13, 2002, 08:21:45 PM »
These are the ones I know about.. Which ones are still needed?
[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill script URL exploits (Out)"
URL = "*<(script|object|applet)*"
Replace = "Script killedk"
In = TRUE
Out = FALSE
Key = "Content-Disposition: [IE Exploit] Reveal Attached Filename (in)"
Match = "*filename=$AV(1&(^*%00*))*"
Replace = "filename=1"
In = TRUE
Out = FALSE
Key = "Content-Type: [IE Exploit] Application/Force-Download (in)"
Match = "(*|(^?))&$IHDR(Content-Disposition:*filename=*)"
Replace = "application/force-download"
In = FALSE
Out = TRUE
Key = "Nimda Killer"
URL = "*readme.eml"
Replace = "k"
[Patterns]
Name = "IE5/Opera Exploit (IMG SRC)"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "<imgs*>"
Limit = 1200
Match = "*src="(file:|shell:|gopher:)*"
Name = "IE5 Exploit (FORM Big Size Input)"
Active = TRUE
URL = "$TYPE(htm)"
Limit = 1200
Match = "size="[1|2|3|4|5|6|7|8|9]+{3,*}"
Name = "Defuse "While-Loop" Browser Bombs"
Active = TRUE
Limit = 64
Match = "while ( true )"
Replace = "
<!-- PROX: Defused Potential While Loop Browser Bombs -->
"
"if (true)"
Name = "Defuse "Form Action+" Browser MailBombs"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "<forms*>"
Limit = 512
Match = "<Form 1 action=("|)mailto:("|) + ("|)(w)3 4"
Replace = "
<!-- PROX: Defused a "Form Action+" Browser MailBomb -->
"
"<Form 1 action="mailto:3 4"
Name = "Replace Internet Explorer Gopher links with warning of IE bug"
Active = TRUE
Bounds = "<a*>"
Limit = 256
Match = "<a*HREF=*gopher://*>"
Replace = "<font size=2 color=red>"
"[Gopher link removed:<font><font size=1 color=red>"
" Thanks to an Internet Explorer bug, this Gopher link may be"
--------
Infopros Joint :: Computer Related Links And Discussion
[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill script URL exploits (Out)"
URL = "*<(script|object|applet)*"
Replace = "Script killedk"
In = TRUE
Out = FALSE
Key = "Content-Disposition: [IE Exploit] Reveal Attached Filename (in)"
Match = "*filename=$AV(1&(^*%00*))*"
Replace = "filename=1"
In = TRUE
Out = FALSE
Key = "Content-Type: [IE Exploit] Application/Force-Download (in)"
Match = "(*|(^?))&$IHDR(Content-Disposition:*filename=*)"
Replace = "application/force-download"
In = FALSE
Out = TRUE
Key = "Nimda Killer"
URL = "*readme.eml"
Replace = "k"
[Patterns]
Name = "IE5/Opera Exploit (IMG SRC)"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "<imgs*>"
Limit = 1200
Match = "*src="(file:|shell:|gopher:)*"
Name = "IE5 Exploit (FORM Big Size Input)"
Active = TRUE
URL = "$TYPE(htm)"
Limit = 1200
Match = "size="[1|2|3|4|5|6|7|8|9]+{3,*}"
Name = "Defuse "While-Loop" Browser Bombs"
Active = TRUE
Limit = 64
Match = "while ( true )"
Replace = "
<!-- PROX: Defused Potential While Loop Browser Bombs -->
"
"if (true)"
Name = "Defuse "Form Action+" Browser MailBombs"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "<forms*>"
Limit = 512
Match = "<Form 1 action=("|)mailto:("|) + ("|)(w)3 4"
Replace = "
<!-- PROX: Defused a "Form Action+" Browser MailBomb -->
"
"<Form 1 action="mailto:3 4"
Name = "Replace Internet Explorer Gopher links with warning of IE bug"
Active = TRUE
Bounds = "<a*>"
Limit = 256
Match = "<a*HREF=*gopher://*>"
Replace = "<font size=2 color=red>"
"[Gopher link removed:<font><font size=1 color=red>"
" Thanks to an Internet Explorer bug, this Gopher link may be"
--------
Infopros Joint :: Computer Related Links And Discussion