>..Well I guess you don't like to see someone uses a free alternative... I just wanted to rise awareness how IP based DS entries are applied and can be bypassed. + Our Malware/spyware/phishing DS database will be open i.e. anybody can download it for free and apply to his ISA DS in same way as you did from squidguard.org. -----DON'T READ BELOW THIS LINE AS YOU MIGHT SEE IT AS ADVERTISMENT :)--- Paid will be only live automated updates into your ISA Destination Sets. Reason for this is that sites with exploits/phishing are alive ~<1 week so what matters in protection is also how fast you can get updates. Current example from yesterday: ---------------------------------------------------------------- ebay-verifications.biz added 8.11.2004 (da) ebay phishing with trojan JS Steal ---------------------------------------------------------------- Today this site was already reported and taken off from freedns provider. With our live updates you will be protected sooner by ppl actually using this DS on their ISA servers and not rely on misbehaved site's ISP fast response &willingness. Plus you will be in control .i.e. you can make exceptions in your ISA server for some sites blacklisted which is not possible with some DNS based RBLs.(currently every new entry is manually checked) Best regards David Farinic. P.S>: you don't need to manually remove IP entries I only said that in converter script you use just remove regex expression to test for IP only entries. Another hint: *.sss.com sss.com is not the same therefore your script should also make double entries for example from your list: sexpages.ws www.sexpages.ws will not be blocked if you have only entry sexpages.ws you have to enter also *.sexpages.ws check it out:)(ISA2004) Disclaimer: Described new GfiWebMonitor3 feature is in development stage and can be changed. -----Original Message----- From: Ara [mailto:ara@xxxxxxxxxx] Sent: Tuesday, November 09, 2004 1:13 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: script help please http://www.ISAserver.org Well I guess you don't like to see someone uses a free alternative to your upcoming webmonitor 3 with url category filtering which costs money. I get the point between url and ip destination set, but the file is too big to manually separate them for me. Anyway thank you for help and hint > -----Original Message----- > From: David Farinic [mailto:davidf@xxxxxxx] > Sent: November 8, 2004 3:39 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: script help please > > http://www.ISAserver.org > > First understand in which scenarios IP dest.s. entries would not work. > This was already posted here By TOM: > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-urldomain > namesets.mspx > > I posted this: > ------------------------------------------------------------------------ > - > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-urldomain > namesets.mspx > > Says "- You cannot specify a URL set as an IP address" > > Well works on mine self auto-updating MALWARE URL set OK They probably > meant to say: > > "- If you specify a URL set as an IP address it would be applied to ALL > http proxy requests and to SNAT web redirected http client requests > containing IP address in "Host: " field of http request(i.e. all current > browsers(http 1.1))" > > > Meaning if you will have SNAT client not using proxy connecting > directly and he will query http request for URL containing IP address > with some old browser (~1994) he will get through even when you specify > that IP address in URL set. > > ------------------------------------------------------------------------ > - > > So once you understand if you are "safe" to ad IP DS entries > Just remove part of script which checks for IP only site names > (probably some regex) > BTW I am working right now on similar app(&script) which is updating > Malware DS every 30 min. And definitely IP entries will be present as > well but they will usually expire in 1 year time from time of site > misuse. > > > With Regards DavidF > > -----Original Message----- > From: Ara [mailto:ara@xxxxxxxxxx] > Sent: Sunday, November 07, 2004 12:51 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] script help please > > http://www.ISAserver.org > > Can some one help me with this issue here? > If you go to http://www.squidguard.org/download/ > then there is a link to download blacklisted sites. After extracting you > will get different categories. Let's say you go to porn categories and > there > is a file which has all links. > The problem is they are formatted in a way that only works with squad > guard > installed. As an example, > > 101tits.com/lesbian > 12.105.86.9/amateurlesbians > > I want to convert these to destination sets but it is complaining that > there > shouldn't be any ip in list. Only domains are allowed. > So if someone is good in writing scripts, may I ask to make something > that > deletes line with ip address keeping the one with url's. > > Or > > Script is posted > http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=33;t=000056 > But it gives me hard time. Maybe I am doing something wrong and help is > appreciated > > Thank you > > This mail was checked for malicious code and viruses by GFI MailSecurity. GFI MailSecurity provides email content checking, exploit detection, threats analysis and anti-virus for Exchange & SMTP servers. Viruses, Trojans, dangerous attachments and offensive content are removed automatically. Key features include: multiple virus engines; email content and attachment checking; an exploit shield; an HTML threats engine; a Trojan & Executable Scanner; and more. In addition to GFI MailSecurity, GFI also produces the GFI MailEssentials anti-spam software, the GFI FAXmaker fax server & GFI LANguard network security product ranges. For more information on our products, please visit http://www.gfi.com. This disclaimer was sent by GFI MailEssentials for Exchange/SMTP.