Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] Smartdefence "../" 'Url Worm'

from Wayne Clemit [Permanent Link]
Subject: [FW-1] Smartdefence "../" 'Url Worm'
From: Wayne Clemit <Wayne_Clemit AT LINEONE DOT NET>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 25 Mar 2005 16:40:30 -0000 
We are experiencing the very same issues when trying to browse legit
business critical websites.
Turning off all the Worm Patterns in Smartdefence works, but for obvious
reasons, we need to know which individual pattern is blocking "../" url's
so we can turn the remaining patterns back on.

Any help (or workarounds) would be greatly appreciated.

Cheers

   Wayne.

Subject: [fw1-gurus] Smartdefence 'Url Worm'
From: "Andrew Craick" <mogwai888000@xxxxxxxxxxx>
To: fw1-gurus@xxxxxxxxxxxxxxxxxx
Date: Mon, 21 Feb 2005 16:48:44 +1100

-------------------------------------------------------------------------=
-------
I keep getting smartdefence alert messages when somone tries to connect to
our web server and also when our proxy server is connecting to external web
sites. It looks to be caused by Smartdefence not liking the double periods
in some web sites URLs ie
/adc/sitemaster/.../template/template_images/spacer.gif

Obviously this is to guard against some sort of directory traversal attacks
however these seems to be a large number of web sites that use /../
(including
our own) and there doesn't seem to be a Worm pattern that i can remove in
Smartdefence.

I'd really like to turn this option off for http connections originating
from our internal proxy server and also for connections to our web server

which has been patched for most of these types of vulnerabilities.

Can i turn the general HTTP worm catcher off for certain source or
destination
addresses and which worm pattern is blocking /../ ?


regards

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Inegity flex, Andrey Maluck
Next by Date:  Re: [FW-1] Smartdefence "../" 'Url Worm', Jarmoc, Jeff
Previous by Thread:  [FW-1] Inegity flex, Andrey Maluck
Next by Thread:  Re: [FW-1] Smartdefence "../" 'Url Worm', Tom Stala
Indexes:  [Date] [Thread] [Top] [All Lists]