Catch Suspicious Extensions [January 11, 2009]

[lnminente]

I like these filters Kye-U, many thanks for them And now lets try to improve them

Analyzing the code of the first filter:
- "$URL(http://" is ftp covered by the other filter?
- *.(^([a-z]+{2,4})(^/))*. looking for a extension of only letters (no numbers) between 2 and 4 chars.

The detection of the extension gives false positives in links like http://host1/clear.gif?url=host2/cbs.com
Example here: http://www.cbs.com/primetime/big_bang_th...=true&cc=2
I recomend some code like (\1\?*|\1) or using \p for taking the real extension and later test it

One modification for the first filter:

Code:

Match = "$SET(url=\p)$TST(url=*.(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|    p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c): Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\n\u\n)"

And one question, now both filters are for incoming connections, why do we use 2 filters? Could we join them?