Re: [squid-users] Re: acl virus1 url_regex http://www/c/winnt/system32/cmd.exe from khiz code on 2001-09-26 (squid-users)

From: khiz code <khizcode@dont-contact.us>
Date: Wed, 26 Sep 2001 06:11:54 -0700 (PDT)

hi
but if u r aim is to prevent the worm why dont u use the very useful
acl posted very recently on the list
here it is
acl codered url_regex \/default\.ida$
acl banned-url url_regex "/usr/local/squid4/etc/worm-blocking"
#deny_info ERR_RESET codered
#deny_info ERR_RESET banned-url
http_access deny codered
http_access deny banned-url

the file "/usr/local/squid4/etc/worm-blocking"
itself contains
.*NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.*
.*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*
.*/winnt/system32/cmd.exe.*
.*/MSADC/root.exe..c.dir$
.*/scripts/root.exe..c.dir$

rgds
khizcode

--- Henrik Nordstrom <hno@squid-cache.org> wrote:
> That you can do, provided the request contains exacly this string
> (see
> access.log).
>
> Fir this kind of matches I would recommend using the urlpath_regex
> type
> to only match against the path excluding requested host name.
>
> In these times I would recommend using
>
> acl virus2 urlpath_regex system32
> http_access deny virus2
>
> Yes, this may match somewhat more than intended, but not very likely.
> It
> will however match a rather wide range of IIS exploits.
>
> Regards
> Henrik Nordström
> Squid Hacker
>
>
> Edward wrote:
> >
> > Hi Henrik!
> >
> > Do you know if this command would work in squid 2.5?
> >
> > acl virus1 url_regex http://www/c/winnt/system32/cmd.exe
> > http_access deny virus1
> >
> > I have use this line including
> ^http://www/c/winnt/system32/cmd.exe$ to see
> > if I was doing something wrong.
> >
> > It still would not deny me access. Am I missing something here
> >
> > Thank you very much.
> >
> > Best regards,
> >
> > Edward Millington. BSc, Network+
> > (Network Administrator & Senior Technical Support Technician)
> > Cariaccess Communications Ltd.
> > Palm Plaza
> > Wildey
> > St. Michael
> > Barbados
> > 1-246-430-7435
> > Fax : 1-246-431-0170
> > edward@cariaccess.com
> > www.cariaccess.com

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com
Received on Wed Sep 26 2001 - 07:11:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:29 MST