[isalist] New Blocking script on isatools.org

  • From: Jim Harrison <jim@xxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 25 Jun 2010 08:57:57 -0700

http://jim.isatools.org/tools/block_hcp.vbs

 

It works on ISA 2004, ISA 2006, TMG MBE and TMG 2010

It creates HTTP Signatures in any access rule that includes HTTP.

These signatures are:

HCP-1: Search in: Response body, Format: Text, Byte range: 1 - 100, Pattern:
hcp://

HCP-2: Search in: Response body, Format: Text, Byte range: 1 - 100, Pattern:
hcp%3A%2F%2F

HCP-3: Search in: Response body, Format: Text, Byte range: 1 - 100, Pattern:
hcp%253A%252F%252F

HCP-4: Search in: Response headers, HTTP header: location, Pattern: hcp://

HCP-5: Search in: Response headers, HTTP header: location, Pattern:
hcp%3A%2F%2F

HCP-6: Search in: Response headers, HTTP header: location, Pattern:
hcp%253A%252F%252F

 

No, it doesn't find all permutations of this URL, but most attacks aren't
mounted using all permutations, either.

This will find and reject all HTTPS responses that use these most common
forms.

If you combine this with HTTPS Inspection on TMG, you protection is that
much better.

 

Jim

Other related posts:

  • » [isalist] New Blocking script on isatools.org - Jim Harrison