RE: script help please
- From: "David Farinic" <davidf@xxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 9 Nov 2004 09:59:50 +0100
>..Well I guess you don't like to see someone uses a free alternative...
I just wanted to rise awareness how IP based DS entries are applied and
can be bypassed.
+
Our Malware/spyware/phishing DS database will be open i.e. anybody can
download it for free and apply to his ISA DS in same way as you did from
squidguard.org.
-----DON'T READ BELOW THIS LINE AS YOU MIGHT SEE IT AS ADVERTISMENT
:)---
Paid will be only live automated updates into your ISA Destination Sets.
Reason for this is that sites with exploits/phishing are alive ~<1 week
so what matters in protection is also how fast you can get updates.
Current example from yesterday:
----------------------------------------------------------------
ebay-verifications.biz
added 8.11.2004 (da) ebay phishing with trojan JS Steal
----------------------------------------------------------------
Today this site was already reported and taken off from freedns
provider. With our live updates you will be protected sooner by ppl
actually using this DS on their ISA servers and not rely on misbehaved
site's ISP fast response &willingness. Plus you will be in control .i.e.
you can make exceptions in your ISA server for some sites blacklisted
which is not possible with some DNS based RBLs.(currently every new
entry is manually checked)
Best regards David Farinic.
P.S>: you don't need to manually remove IP entries I only said that in
converter script you use just remove regex expression to test for IP
only entries.
Another hint: *.sss.com sss.com is not the same therefore your script
should also make double entries for example from your list: sexpages.ws
www.sexpages.ws will not be blocked if you have only entry sexpages.ws
you have to enter also *.sexpages.ws check it out:)(ISA2004)
Disclaimer: Described new GfiWebMonitor3 feature is in development stage
and can be changed.
-----Original Message-----
From: Ara [mailto:ara@xxxxxxxxxx]
Sent: Tuesday, November 09, 2004 1:13 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: script help please
http://www.ISAserver.org
Well I guess you don't like to see someone uses a free alternative to
your
upcoming webmonitor 3 with url category filtering which costs money. I
get
the point between url and ip destination set, but the file is too big to
manually separate them for me.
Anyway thank you for help and hint
> -----Original Message-----
> From: David Farinic [mailto:davidf@xxxxxxx]
> Sent: November 8, 2004 3:39 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: script help please
>
> http://www.ISAserver.org
>
> First understand in which scenarios IP dest.s. entries would not work.
> This was already posted here By TOM:
>
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-urldomain
> namesets.mspx
>
> I posted this:
>
------------------------------------------------------------------------
> -
>
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-urldomain
> namesets.mspx
>
> Says "- You cannot specify a URL set as an IP address"
>
> Well works on mine self auto-updating MALWARE URL set OK They probably
> meant to say:
>
> "- If you specify a URL set as an IP address it would be applied to
ALL
> http proxy requests and to SNAT web redirected http client requests
> containing IP address in "Host: " field of http request(i.e. all
current
> browsers(http 1.1))"
>
>
> Meaning if you will have SNAT client not using proxy connecting
> directly and he will query http request for URL containing IP address
> with some old browser (~1994) he will get through even when you
specify
> that IP address in URL set.
>
>
------------------------------------------------------------------------
> -
>
> So once you understand if you are "safe" to ad IP DS entries
> Just remove part of script which checks for IP only site names
> (probably some regex)
> BTW I am working right now on similar app(&script) which is updating
> Malware DS every 30 min. And definitely IP entries will be present as
> well but they will usually expire in 1 year time from time of site
> misuse.
>
>
> With Regards DavidF
>
> -----Original Message-----
> From: Ara [mailto:ara@xxxxxxxxxx]
> Sent: Sunday, November 07, 2004 12:51 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] script help please
>
> http://www.ISAserver.org
>
> Can some one help me with this issue here?
> If you go to http://www.squidguard.org/download/
> then there is a link to download blacklisted sites. After extracting
you
> will get different categories. Let's say you go to porn categories and
> there
> is a file which has all links.
> The problem is they are formatted in a way that only works with squad
> guard
> installed. As an example,
>
> 101tits.com/lesbian
> 12.105.86.9/amateurlesbians
>
> I want to convert these to destination sets but it is complaining that
> there
> shouldn't be any ip in list. Only domains are allowed.
> So if someone is good in writing scripts, may I ask to make something
> that
> deletes line with ip address keeping the one with url's.
>
> Or
>
> Script is posted
> http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=33;t=000056
> But it gives me hard time. Maybe I am doing something wrong and help
is
> appreciated
>
> Thank you
>
>
This mail was checked for malicious code and viruses
by GFI MailSecurity. GFI MailSecurity provides email content
checking, exploit detection, threats analysis and anti-virus for
Exchange & SMTP servers. Viruses, Trojans, dangerous
attachments and offensive content are removed automatically.
Key features include: multiple virus engines; email content and
attachment checking; an exploit shield; an HTML threats engine;
a Trojan & Executable Scanner; and more.
In addition to GFI MailSecurity, GFI also produces the
GFI MailEssentials anti-spam software, the GFI FAXmaker
fax server & GFI LANguard network security product ranges.
For more information on our products, please visit
http://www.gfi.com. This disclaimer was sent by
GFI MailEssentials for Exchange/SMTP.
Other related posts:
