Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Smartdefence "../" 'Url Worm'

from Jarmoc, Jeff [Permanent Link]
Subject: Re: [FW-1] Smartdefence "../" 'Url Worm'
From: "Jarmoc, Jeff" <Jeff.Jarmoc AT GRUBB-ELLIS DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 25 Mar 2005 14:16:51 -0600 
It's listed independently on my firewalls (and disabled for reasons
already mentioned)

In the Worm Catcher it's called 'HTTP Directory traversal attack' and
the pattern it matches is listed as '(\\|/)\.\.'

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Tom
Stala
Sent: Friday, March 25, 2005 1:52 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Smartdefence "../" 'Url Worm'

I had to get checkpoint to write a patch to allow some programs through
the
http worm catcher, we would turn all of the definitions off and it would
still drop communications.
if we turned off the root worm catcher it would allow communications to
pass.

So SmartDeffense like Microsoft does stuff that you have no control
over.

----- Original Message -----
From: "Wayne Clemit" <Wayne_Clemit AT LINEONE DOT NET>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Friday, March 25, 2005 11:40 AM
Subject: [FW-1] Smartdefence "../" 'Url Worm'


> We are experiencing the very same issues when trying to browse legit
> business critical websites.
> Turning off all the Worm Patterns in Smartdefence works, but for
obvious
> reasons, we need to know which individual pattern is blocking "../"
url's
> so we can turn the remaining patterns back on.
>
> Any help (or workarounds) would be greatly appreciated.
>
> Cheers
>
>     Wayne.
>
>  Subject: [fw1-gurus] Smartdefence 'Url Worm'
>  From: "Andrew Craick" <mogwai888000@xxxxxxxxxxx>
>  To: fw1-gurus@xxxxxxxxxxxxxxxxxx
>  Date: Mon, 21 Feb 2005 16:48:44 +1100
>
>
------------------------------------------------------------------------
-
=
>  -------
>  I keep getting smartdefence alert messages when somone tries to
connect
to
>  our web server and also when our proxy server is connecting to
external
web
>  sites. It looks to be caused by Smartdefence not liking the double
periods
>  in some web sites URLs ie
> /adc/sitemaster/.../template/template_images/spacer.gif
>
>  Obviously this is to guard against some sort of directory traversal
attacks
>  however these seems to be a large number of web sites that use /../
> (including
>  our own) and there doesn't seem to be a Worm pattern that i can
remove in
> Smartdefence.
>
>  I'd really like to turn this option off for http connections
originating
>  from our internal proxy server and also for connections to our web
server
>
>  which has been patched for most of these types of vulnerabilities.
>
>  Can i turn the general HTTP worm catcher off for certain source or
> destination
>  addresses and which worm pattern is blocking /../ ?
>
>
>  regards
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Smartdefence "../" 'Url Worm', Wayne Clemit
Next by Date:  Re: [FW-1] Smartdefence "../" 'Url Worm', Tom Stala
Previous by Thread:  Re: [FW-1] Smartdefence "../" 'Url Worm', Tom Stala
Next by Thread:  [FW-1] Can't install rulebase, BENHAMOU Stéphane
Indexes:  [Date] [Thread] [Top] [All Lists]