cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOSITCS
Level 9
Report Inappropriate Content
Message 1 of 3

SAE 3.5 Prohibit List URL Patterns

Jump to solution

While reviewing McAfee Labs Threat Advisories they offer URL Patterns to block known exploit sites but I'm not sure how to enter the following into the Prohibit Site Policy:

Also, this exploit kit uses unique URL patterns for downloading the payloads.

• hxxp://[domain name]/[Random characters and numbers]/jorg.html

• hxxp://[domain name]/[Random characters and numbers]/jlnp.html

• hxxp://[domain name]/[Random characters and numbers]/pdfx.html

• hxxp://[domain name]/[Random characters and numbers]/fnts.html

• hxxp://[domain name]/[Random characters and numbers]/jovf.html

Should I make an entry such as:

/jorg.html

Since this exploit is pulling malicious code from compromised web servers the domain name can be anything.

Thanks,

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: SAE 3.5 Prohibit List URL Patterns

Jump to solution

I was looking for the same answer. From what the SAE documentation states, however, it appears we cannot use SAE to prohibit site access to these html pages.

The reason is SAE breaks a URL into two parts (domain and path) with the domain being hxxp://[domain name] (everything before the first slash) and the path being everything after the first slash (e.g. /[Random characters and numbers]/[filename].html).

As a result the pattern would need to be /[Random characters and numbers]/[filename].html and SAE patterns don't accept wildcards. So because the first part is a random alphanumeric we can't make a pattern to block it. This seems to be a short coming of SAE (the pattern format is far too strict or there's no way to tell it to look at the end of the path instead of starting from the beginning).

I'm going to see if another group can add a pattern to the WebWasher and hope its pattern recognition isn't as strict.

View solution in original post

2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: SAE 3.5 Prohibit List URL Patterns

Jump to solution

I was looking for the same answer. From what the SAE documentation states, however, it appears we cannot use SAE to prohibit site access to these html pages.

The reason is SAE breaks a URL into two parts (domain and path) with the domain being hxxp://[domain name] (everything before the first slash) and the path being everything after the first slash (e.g. /[Random characters and numbers]/[filename].html).

As a result the pattern would need to be /[Random characters and numbers]/[filename].html and SAE patterns don't accept wildcards. So because the first part is a random alphanumeric we can't make a pattern to block it. This seems to be a short coming of SAE (the pattern format is far too strict or there's no way to tell it to look at the end of the path instead of starting from the beginning).

I'm going to see if another group can add a pattern to the WebWasher and hope its pattern recognition isn't as strict.

View solution in original post

SOSITCS
Level 9
Report Inappropriate Content
Message 3 of 3

Re: SAE 3.5 Prohibit List URL Patterns

Jump to solution

You are correct about the wildcard issue and I had forgotten about that.  I'm starting to think I might need to research another solution.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community