Re: Netscreen Malicious URL - how to?
From: Purl Gurl (purlgurl_at_purlgurl.net)
Date: 05/23/04
- Next message: sodrd8848: "Re: Norton firewall blocking local network?"
- Previous message: Duane Arnold: "Re: Survive without ICMP?"
- In reply to: Purl Gurl: "Netscreen Malicious URL - how to?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 23 May 2004 09:01:12 -0700
Purl Gurl wrote:
(snipped)
> I am having difficulties setting a user defined
> malicious url entry for a Netscreen 5 series
> firewall appliance.
> An example "pretend" firewall entry,
> GET /~USERNAME/SOMEPAGE.HTML
> Anyone have any thoughts on why Netscreen cannot capture
> those pattern matches? Is it the ~ tilde causing problems?
Some additional information on this which is pleasing.
First, my thanks to Scott for his feedback and for
pointing me to the Netscreen discussion forum. There,
I was and am able to gleen a lot of great information.
Actually found two references to malicious URL usage.
Use of a tilde with Netscreen does work. Initially,
this did not appear true because of flawed testing.
My testing was flawed because I forgot many public proxy
servers are caching servers. Initally, I tested access
to my tilde type URL through a proxy server _without_
a Netscreen entry to verify access. This was accomplished.
Next, I made my Netscreen entry to block access to this
URL with a tilde in the path. I was able to access this
tilde path, no problems. I made an assumption use of
a tilde is not recognized by Netscreen.
What truly happened is the proxy server I used for external
access to avoid local LAN access, uses a cache. Access is
and was denied by Netscreen so the proxy server provided
a cache copy of the page, or my browser was instructed to
pull up a cache copy. Not sure which; still testing.
Closing my browser, manually deleting all cache files,
using a different proxy, yielded positive results for
a tilde type URL block by Netscreen.
My final result is use of two Netscreen entries. One
with a ASCII tilde, another with a URL encoded tilde.
/~username/somefile.html
/%7Eusernam/somefile.html
However, I have discovered two methods to defeat those
Netscreen entries. One method is well documented for
older Netscreen operating systems and is a very difficult
method to employ.
The other method, which is not documented, was stumbled upon
quite by accident, and quite the surprise. However, this method
which is not documented, requires rather odd circumstances,
which are generated by your own server and is a result of
server internal redirection, which is beyond the scope and
ability of Netscreen and almost all external firewalls.
Be careful how you test your methods and assumptions!
Clearly I became caught up in assumptions based upon
forgetting how many proxy servers behave and forgetting
a browser cache will load, in lieu of an error message
caused by a lack of http protocol via some proxy servers.
Always test your methods and always test your assumptions.
* makes a mental note to practice what she preaches *
Bottom line is I was seeing cache copies without realizing
nor being alerted my access was, in fact, being blocked.
A closing thought, once this article hits the newswire,
Murphy's Law will be invoked and prove me the fool much
to the embarrassment of my ego.
Appreciation is again extended to Scott for providing a
link to wonderful Netscreen information resources.
Purl Gurl - waiting for Murphy to walk in.
- Next message: sodrd8848: "Re: Norton firewall blocking local network?"
- Previous message: Duane Arnold: "Re: Survive without ICMP?"
- In reply to: Purl Gurl: "Netscreen Malicious URL - how to?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
