Yep, Some characters are used in directory traversal attacks and injection attacks, and the | is a pipe and is usually used to try and attack a web application using a UNIX backend.
Z Edward E. Ziots Network Engineer Lifespan Organization Email: [email protected] Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, January 29, 2009 5:23 PM To: Active Directory Admin Issues Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing I've got a start on that with my sidewinders. They are pretty strict about parsing http traffic, and I regularly get requests from user trying to visit sites that use bad, bad, bad programming, especially poorly crafted URLs. Here's one that wouldn't pass my firewall without it being whitelisted: http://www.costco.com/Common/Category.aspx?cat=70718&eCat=BC|589|70718&l ang=en-US&whse=BC&topnav= I think the firewall doesn't like the '|' characters That having been said, it does nothing to parse javascript - I've had several machines pwned recently, from clueless users visiting dodgy music and gaming web sites. I just have my minions flatten the boxes and reinstall. It's not worth the effort to try to clean them - and we're using Sunbelt's product on the desktops, with regular updates. Kurt On Thu, Jan 29, 2009 at 2:13 PM, Ziots, Edward <[email protected]> wrote: > Honestly, > > I posed this question at a security conference I attended last year. > > It seems that most of the exploitation is via browser exploits, why not > come up with a HIPS for the web-browsers, that inspect all sessions > being sent back and forth, and protect from java-script XSS, CSRF > attacks on the client side, basically like using a web-browser sand-box > technology. I haven't seen anything on the market like this yet, but it > be an exciting vector to stop the drive-by web-exploits. > > The whitelist comes down to one thing: Code execution, if you can't tell > what good code and bad code looks like, it doesn't matter if you allowed > a seemingly good app, execute bad code, that is why like the HIPS better > than application white listing. > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > Email: [email protected] > Phone: 401-639-3505 > MCSE, MCP+I, ME, CCA, Security +, Network + > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Thursday, January 29, 2009 5:08 PM > To: Active Directory Admin Issues > Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing > > Somewhat agree. > > Whitelisting apps will definitely help a lot, but the process is > tedious, if done well: > o- build a clean install from known media > o- use the output of dir /s /b and use md5sum to build a database > of known files > o- use magic app to use database of md5 hashes to whitelist apps > o- install new software, redo steps above > > However, that still won't help against malicious data, like crafted > Word/Excel docs, mp3s, whatever (sure, open that web-based file, so > that I can pwn your browser and OS!) > > Now, whitelisting apps *and* whitelisting web sites - that would be > truly useful, though it still doesn't protect against malicious email > attachments. > > > > Kurt > > On Thu, Jan 29, 2009 at 1:58 PM, Michael B. Smith > <[email protected]> wrote: >> I think WhiteListing is "the future of A/V". >> >> >> >> There is simply too much to guard AGAINST now. >> >> >> >> (I say "the future" because I still think whitelists are too hard to > build. >> IMO. YMMV.) >> >> >> >> Regards, >> >> >> >> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP >> >> My blog: http://TheEssentialExchange.com/blogs/michael >> >> I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php >> >> >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:32 PM >> To: Active Directory Admin Issues >> Subject: Re: OT: Was Tips 'n' Tricks Now it's Symantec Bashing >> >> >> >> I am always wondering these days if AV is strictly necessary. AppSense > won't >> execute anything that isn't whitelisted and/or isn't owned by an >> Administrator, and neither can network drives run executable content > by >> default. Coupled with WebSense, the use of mandatory profiles and a > pretty >> rapid patching strategy, I am left wondering how much mitigation AV > actually >> gives us on top. It certainly has only caught about three virii > recently >> (and guess what? They were on my boss's workstation, which means all > the >> products I mentioned above, he has removed himself from) >> >> 2009/1/29 Jake Gardner <[email protected]> >> >> I'm a little past halfway through the company wide removal of > symantec and >> installing AVG. yippie!! >> >> >> >> I love when the end users always ask me about why I don't like > Symantec, or >> they tell me how happy they are with Mcafee. ugh. I ask them if > they've >> had viruses or malware and they ALWAYS answer yes. >> >> >> >> >> >> >> >> Thanks, >> >> >> >> Jake Gardner >> >> TTC Network Administrator >> >> Ext. 246 >> >> >> >> >> >> ________________________________ >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:19 PM >> To: Active Directory Admin Issues >> Subject: Re: Tips 'n' Tricks >> >> Hey guys, you're preaching to the choir here. My boss bought it, and > he >> likes to take down Exchange servers in the middle of the morning just > to fix >> some cosmetic issue. I hate Symantec with a passion that appears to be > quite >> common. >> >> 2009/1/29 Ziots, Edward <[email protected]> >> >> Symantec Sucks.. Period.. >> >> >> >> Z >> >> >> >> Edward E. Ziots >> >> Network Engineer >> >> Lifespan Organization >> >> Email: [email protected] >> >> Phone: 401-639-3505 >> >> MCSE, MCP+I, ME, CCA, Security +, Network + >> >> ________________________________ >> >> From: Jake Gardner [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:15 PM >> >> To: Active Directory Admin Issues >> Subject: RE: Tips 'n' Tricks >> >> >> >> Call Symantec support right away and ask for their cleanwipe tool. > That >> will solve ALL of your Symantec problems forever. >> >> >> >> ;) >> >> >> >> Thanks, >> >> >> >> Jake Gardner >> >> TTC Network Administrator >> >> Ext. 246 >> >> >> >> >> >> ________________________________ >> >> From: Tim Vander Kooi [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:14 PM >> To: Active Directory Admin Issues >> Subject: RE: Tips 'n' Tricks >> >> As long as Symantec is on the network there should always be something > to >> have to fix. ;-) >> >> >> >> >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 3:11 PM >> To: Active Directory Admin Issues >> Subject: Re: Tips 'n' Tricks >> >> >> >> Oh how I long to be back in a big environment...the heady days of when > the >> backbone security team "leased" admin access to support teams for > specific >> tasks and timeframes...when you couldn't get a service account with > any more >> access than it absolutely needed...when patches were tested at four >> different levels before arriving in production :-) >> >> Now there's just me, WebSense, AppSense and Symantec Antivirus between > the >> infrastructure and anarchy. >> >> Enuff reminiscing.....back to fixing stuff >> >> 2009/1/29 Ziots, Edward <[email protected]> >> >> I hear you, can't tolerate that stuff here, of course scheduling of > 700 >> servers to be patched across 2 week timeline with a lockout on changes > from >> 7am-5pm posed by executive management doesn't make for happy > campers... >> >> >> >> Z >> >> >> >> Edward E. Ziots >> >> Network Engineer >> >> Lifespan Organization >> >> Email: [email protected] >> >> Phone: 401-639-3505 >> >> MCSE, MCP+I, ME, CCA, Security +, Network + >> >> ________________________________ >> >> From: James Rankin [mailto:[email protected]] >> Sent: Thursday, January 29, 2009 4:03 PM >> >> To: Active Directory Admin Issues >> >> Subject: Re: Tips 'n' Tricks >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> ***Teletronics Technology Corporation*** >> This e-mail is confidential and may also be privileged. If you are > not the >> addressee or authorized by the addressee to receive this e-mail, you > may not >> disclose, copy, distribute, or use this e-mail. If you have received > this >> e-mail in error, please notify the sender immediately by reply e-mail > or by >> telephone at 267-352-2020 and destroy this message and any copies. >> >> Thank you. >> >> ******************************************************************* >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> ***Teletronics Technology Corporation*** >> This e-mail is confidential and may also be privileged. If you are > not the >> addressee or authorized by the addressee to receive this e-mail, you > may not >> disclose, copy, distribute, or use this e-mail. If you have received > this >> e-mail in error, please notify the sender immediately by reply e-mail > or by >> telephone at 267-352-2020 and destroy this message and any copies. >> >> Thank you. >> >> ******************************************************************* >> >> >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> >> ~ ~ >> >> ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ >> ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK > Test! ~ > ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
