Is there a way to have mwg7 immediately block the response if it sees two HTTP 302 redirects in a row? Here's the scenario:
Although HTTP 302 redirects have their purpose on legit web sites, 2 or more redirects in a row is immediately suspicious to me and warrants either outright blocking or a more aggressive filtering policy to be applied.
See the flowchart here for more details on this infection technique: http://nakedsecurity.sophos.com/2012/07/05/pseudo-random-domain-name-generation-and-blackhole/
I think this would be a bad idea. I see quite alot of sites that use multiple 302's. For example sourceforge uses them for the download links.
I would also add a lot of analytics use redirects. Not google, but some of the other trackers, and while it might be nice from a privacy standpoint, it may also keep a page from loading at all.
That said, the problem you would have in making a ruleset for this is that all redirects entail a new request and a new 'transaction'. We don't keep a state table for separate requests for the same user/client ip address.
I would say that it's probably theoretically possible, but ill advised.
We don't keep a state table for separate requests for the same user/client ip address.
Yeah that's what I wasn't sure of. I couldn't think about how things would be properly tracked through multiple cycles but wasn't sure if there was a technique that handles this. This answers my question.