cancel
Showing results for 
Search instead for 
Did you mean: 

block double HTTP 302 redirects

Is there a way to have mwg7 immediately block the response if it sees two HTTP 302 redirects in a row?  Here's the scenario:

  1. A user is casually browsing the internet.
  2. Without being aware of it they come across a malicious or compromised web site which does a HTTP 302 redirect to another site
  3. That site in question does yet another HTTP 302 redirect to another site
  4. The final site (I've sometimes even seen a third redirect) is the one that delivers the malicious exploit

Although HTTP 302 redirects have their purpose on legit web sites, 2 or more redirects in a row is immediately suspicious to me and warrants either outright blocking or a more aggressive filtering policy to be applied.

See the flowchart here for more details on this infection technique: http://nakedsecurity.sophos.com/2012/07/05/pseudo-random-domain-name-generation-and-blackhole/

4 Replies

Re: block double HTTP 302 redirects

I think this would be a bad idea. I see quite alot of sites that use multiple 302's. For example sourceforge uses them for the download links.

Tris

cnewman
Level 10
Report Inappropriate Content
Message 3 of 5

Re: block double HTTP 302 redirects

I would also add a lot of analytics use redirects. Not google, but some of the other trackers, and while it might be nice from a privacy standpoint, it may also keep a page from loading at all. 

That said, the problem you would have in making a ruleset for this is that all redirects entail a new request and a new 'transaction'. We don't keep a state table for separate requests for the same user/client ip address.

I would say that it's probably theoretically possible, but ill advised.

--CN

Re: block double HTTP 302 redirects

We don't keep a state table for separate requests for the same user/client ip address.

Yeah that's what I wasn't sure of.  I couldn't think about how things would be properly tracked through multiple cycles but wasn't sure if there was a technique that handles this.  This answers my question.

Re: block double HTTP 302 redirects

Good point, but what if I did this only for uncategorized or unverified sites?

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.