(Feb. 12, 2009 12:23 PM)lnminente Wrote: I end my hijack, sorry Kye-U
Place this filter after the URL-Parser, rename it if needed
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "URL :I-0.1 Fixing uExt and uFile from Content-Disposition {ln}090130"
Match = "$IHDR(Content-Disposition: * filename=\1.(\w)\2 *)$SET(uFile=\1) $SET(uExt=\2) $TST(keyword=*.i_level\:[5].*)$LOG(C$DTM(c),I-0.1 Fixing uExt and uFile from Content-Disposition uFile=$GET(uFile) uExt=$GET(uExt))"
And the suspicious filters can be now resumed to only one filter
Code:
[HTTP headers]
In = TRUE
Out = FALSE
Key = "URL :I-3.3 URL-Killer: Catch Suspicious Extensions {ku,ln}090131 WIP"
URL = "(^$TST(ContentType=*text/(html|javascript)*))"
Match = "$TST(uExt=(hta|e(ml|xe)|hlp|jse|lnk|url|ba(s|t)|c(om|md)|vb(e|s|)|s(cr|hs)|p(if|cd)|a(d(e| p)|nr)|c(hm|pl|rt)|i(ns|sp)|m(d(b|e)|s(c|i|p|t))|ws(f|h|c)))$LOG(R$DTM(c),I-3.3 Suspicious extension in \h\p)$CONFIRM(SUSPICIOUS FILE EXTENSION FOUND\n\nBlock connection to the URL below?\n\u\n\nFile=$GET(uFile).$GET(uExt)\n)"
Replace = "\k"
lnminente,
Does this filter need to be fixed for the new sidki config file ..................... "! |||||||||||| URL :"
Charlie