[isapros] Re: New Blocking script on isatools.org
- From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: isapros <isapros@xxxxxxxxxxxxx>
- Date: Fri, 25 Jun 2010 18:10:20 +0100
Thanks Jim!
Sent from my iPhone
Jason Jones | Forefront MVP | Principal Security Consultant | Silversands
Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN:
jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx>
On 25 Jun 2010, at 16:58, "Jim Harrison"
<jim@xxxxxxxxxxxx<mailto:jim@xxxxxxxxxxxx>> wrote:
<http://jim.isatools.org/tools/block_hcp.vbs>http://jim.isatools.org/tools/block_hcp.vbs
It works on ISA 2004, ISA 2006, TMG MBE and TMG 2010
It creates HTTP Signatures in any access rule that includes HTTP.
These signatures are:
HCP-1: Search in: Response body, Format: Text, Byte range: 1 – 100, Pattern:
hcp://
HCP-2: Search in: Response body, Format: Text, Byte range: 1 – 100, Pattern:
hcp%3A%2F%2F
HCP-3: Search in: Response body, Format: Text, Byte range: 1 – 100, Pattern:
hcp%253A%252F%252F
HCP-4: Search in: Response headers, HTTP header: location, Pattern: hcp://
HCP-5: Search in: Response headers, HTTP header: location, Pattern: hcp%3A%2F%2F
HCP-6: Search in: Response headers, HTTP header: location, Pattern:
hcp%253A%252F%252F
No, it doesn’t find all permutations of this URL, but most attacks aren’t
mounted using all permutations, either.
This will find and reject all HTTPS responses that use these most common forms.
If you combine this with HTTPS Inspection on TMG, you protection is that much
better.
Jim
Other related posts:
