0 Replies Latest reply on Jan 19, 2015 3:09 PM by malware-alerts

    HTML Opener - Can we use different elements in a condition?


      Trying to do something real basic, but unfortunately I seem too dumb to get around to making it work.


      I would like to use the HTML opener to extract the SCRIPT tag and the FORM tag and use both in a condition in order to show a block page when certain combination of keywords & HTML attributes are present .


      For example:


      HTML Opener "TEST":

      script  -- Only open start tags = FALSE

      form -- Only open start tags = TRUE



      Top level Rule "Warning to users"

      Criteria: Connection.Protocol = HTTP


          1. Enable HTML Opener "TEST"
          2. body.text does not match "*username*" & body.text does not match "*password*"
            • Action: Stop RuleSet
          3. HTMLElement.Attribute "METHOD" matches "POST" & HTMLElement.Attribute "ACTION" does not match "https://*"
            • Action: Block + show block page "Credentials sent over HTTP"



      This doesn't work the way I would like it to work. What basically happens when I look at the rule tracing is that the ruleset will first trigger on step 2 of the ruleset for the SCRIPT tag (combination of 'username' and 'password' ) but then when it evaluates the "HTMLElement.Attribute", it returns false because the current tag being evaluated is still the SCRIPT tag.


      I would basically like to figure out a way to show a block page to the users when a page seems to be asking for credentials (username/password) with a form POST that is not over HTTPS. There are plenty of examples of phishing websites that will use a simple HTTP page asking the users for their credentials and then submit using a form POST over HTTP and unfortunately a lot of users fall for these basic phishing scams...