Netscreen Malicious URL - how to?

From: Purl Gurl (purlgurl_at_purlgurl.net)
Date: 05/22/04


Date: Sat, 22 May 2004 09:41:28 -0700

I am having difficulties setting a user defined
malicious url entry for a Netscreen 5 series
firewall appliance.

No problems making the entries, have some working
just fine, or seems so. However, I am having problems
with an URL which contains a tilde ~ in the URL address.

An example "pretend" firewall entry,

 GET /~USERNAME/SOMEPAGE.HTML

My firewall would show an entry,

User defined URL Protection: On
    id: TEST, pattern: GET /~USERNAME/SOMEPAGE.HTML, length: 28

I have also tried this with URL encoded %7e to replace the tilde,

User defined URL Protection: On
    id: TEST, pattern: GET /~USERNAME/SOMEPAGE.HTML, length: 28
    id: TEST2, pattern: GET /%7EUSERNAME/SOMEPAGE.HTML, length: 30

Anyone have any thoughts on why Netscreen cannot capture
those pattern matches? Is it the ~ tilde causing problems?

Those entries do work for both inbound and outbound, correct?
There are no notes on this inbound versus outbound. Otherwords,
if somebody out on the internet requests that specific URL
on our server, it would be blocked? Does this need to be
linked to the "untrusted" side policy?

I have tested those types of entries by connecting to an
external proxy server then coming back into our server.
Darn if I don't pass right on through!

All comments, regardless of how seemingly unimportant,
are greatly appreciated. I have been researching this
for several weeks and cannot turn up a single reference
source which addresses this _specific_ problem. I have
tons of pdf files for Netscreen, have spent hours going
through them, but nada! Netscreen, which is now another
company, no longer offers support for older products.

Your input is greatly valued!

Thanks,

Purl Gurl



Relevant Pages

  • Re: Stumped! duplicate entry wont go away!
    ... In both IE7 and FF2 I see 2 both locally and off the server. ... I see to entries for I'm Movin' On but I do not think they are ... shows only one entry while the page displays two. ...
    (alt.html)
  • Thousands of Event Log Entries
    ... I've got a Windows 2003 Server, Standard Edition, ... These 13 entries then keep appearing 24/7, ... EventID 538 entry: ...
    (microsoft.public.windows.server.general)
  • Re: RSS question
    ... But when I uploaded the updated .XML that only has one entry, ... RSS feed entries are like Usenet posts, ... regardless of what happens on the server. ... cleared out old messages from those readers. ...
    (alt.html)
  • Re: Pocket EMP device with a disposable cameras flash?
    ... within the shortest time bandwidth allows. ... You should perhaps set up a tar-pit: redirect to a virtual server serving ... There are now 270 entries in the ipchains firewall. ...
    (sci.electronics.design)
  • Re: How to determine DS3/T3 bandwidth needs? And a DNS question.
    ... >> you'd get by this measure is to write a program to convert your server ... Divide the number of entries by 20, and take the entry ... So if you had 100 entries, ...
    (comp.os.linux.networking)