2 Replies Latest reply on Jul 12, 2013 8:13 AM by SOSITCS

    SAE 3.5 Prohibit List URL Patterns

    SOSITCS

      While reviewing McAfee Labs Threat Advisories they offer URL Patterns to block known exploit sites but I'm not sure how to enter the following into the Prohibit Site Policy:

       

      Also, this exploit kit uses unique URL patterns for downloading the payloads.

      • hxxp://[domain name]/[Random characters and numbers]/jorg.html

      • hxxp://[domain name]/[Random characters and numbers]/jlnp.html

      • hxxp://[domain name]/[Random characters and numbers]/pdfx.html

      • hxxp://[domain name]/[Random characters and numbers]/fnts.html

      • hxxp://[domain name]/[Random characters and numbers]/jovf.html

       

      Should I make an entry such as:

      /jorg.html

       

      Since this exploit is pulling malicious code from compromised web servers the domain name can be anything.

       

      Thanks,

        • 1. Re: SAE 3.5 Prohibit List URL Patterns
          pcktech

          I was looking for the same answer. From what the SAE documentation states, however, it appears we cannot use SAE to prohibit site access to these html pages.

           

          The reason is SAE breaks a URL into two parts (domain and path) with the domain being hxxp://[domain name] (everything before the first slash) and the path being everything after the first slash (e.g. /[Random characters and numbers]/[filename].html).

           

          As a result the pattern would need to be /[Random characters and numbers]/[filename].html and SAE patterns don't accept wildcards. So because the first part is a random alphanumeric we can't make a pattern to block it. This seems to be a short coming of SAE (the pattern format is far too strict or there's no way to tell it to look at the end of the path instead of starting from the beginning).

           

          I'm going to see if another group can add a pattern to the WebWasher and hope its pattern recognition isn't as strict.

          • 2. Re: SAE 3.5 Prohibit List URL Patterns
            SOSITCS

            You are correct about the wildcard issue and I had forgotten about that.  I'm starting to think I might need to research another solution.