Post Reply 
Catch Suspicious Extensions [January 11, 2009]
Feb. 12, 2009, 12:23 PM
Post: #18
RE: Catch Suspicious Extensions [January 11, 2009]
I end my hijack, sorry Kye-U

Place this filter after the URL-Parser, rename it if needed
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "! :I_1 Fixing uFile and uExt from Content-Disposition {ln}090318ยท"
Match = "$IHDR(Content-Disposition:  attachment;*filename=$AV(\0)*) $TST(\0=(([^.]+.)+)\1([^.]+)\2) $TST(\1=\3.(^?))$SET(uFile=\3)$SET(uExt=\2)"
Replace = "$TST(keyword=*.i_level\:[5].*)$LOG(!C$DTM(c),!I_1 Fixing uFile and uExt from Content-Disposition:  uFile=$GET(uFile)  uExt=$GET(uExt))"

And the suspicious filters can be now resumed to only one filter
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "URL :I-3.3 URL-Killer: Catch Suspicious Extensions {ku,ln}090214 WIP"
URL = "(^$IHDR(Content-Type: *text/(html|javascript)*))"
Match = "$TST(uExt=(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e|      p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c),I-3.3 Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\u\n\nFile=$GET(uFile).$GET(uExt)\n)"
Replace = "\k"
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
RE: Catch Suspicious Extensions [April 21, 2008] - Guest - Aug. 27, 2008, 09:21 PM
RE: Catch Suspicious Extensions [January 11, 2009] - lnminente - Feb. 12, 2009 12:23 PM

Forum Jump: