I had to get checkpoint to write a patch to allow some programs through the
http worm catcher, we would turn all of the definitions off and it would
still drop communications.
if we turned off the root worm catcher it would allow communications to
pass.
So SmartDeffense like Microsoft does stuff that you have no control over.
----- Original Message -----
From: "Wayne Clemit" <Wayne_Clemit AT LINEONE DOT NET>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Friday, March 25, 2005 11:40 AM
Subject: [FW-1] Smartdefence "../" 'Url Worm'
> We are experiencing the very same issues when trying to browse legit
> business critical websites.
> Turning off all the Worm Patterns in Smartdefence works, but for obvious
> reasons, we need to know which individual pattern is blocking "../" url's
> so we can turn the remaining patterns back on.
>
> Any help (or workarounds) would be greatly appreciated.
>
> Cheers
>
> Wayne.
>
> Subject: [fw1-gurus] Smartdefence 'Url Worm'
> From: "Andrew Craick" <mogwai888000@xxxxxxxxxxx>
> To: fw1-gurus@xxxxxxxxxxxxxxxxxx
> Date: Mon, 21 Feb 2005 16:48:44 +1100
>
> -------------------------------------------------------------------------
=
> -------
> I keep getting smartdefence alert messages when somone tries to connect
to
> our web server and also when our proxy server is connecting to external
web
> sites. It looks to be caused by Smartdefence not liking the double
periods
> in some web sites URLs ie
> /adc/sitemaster/.../template/template_images/spacer.gif
>
> Obviously this is to guard against some sort of directory traversal
attacks
> however these seems to be a large number of web sites that use /../
> (including
> our own) and there doesn't seem to be a Worm pattern that i can remove in
> Smartdefence.
>
> I'd really like to turn this option off for http connections originating
> from our internal proxy server and also for connections to our web server
>
> which has been patched for most of these types of vulnerabilities.
>
> Can i turn the general HTTP worm catcher off for certain source or
> destination
> addresses and which worm pattern is blocking /../ ?
>
>
> regards
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
