Re: [squid-users] Defending against new attacks

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 26 Sep 2001 00:24:56 +0200

The upcoming Squid-2.5 release gives you some additional tools. There
you can block content not only by the URL but also by content-type.

However, to really do this proper you need a filter that inspects the
downloaded content and blocks unwanted content signatures as there are
ways of forcing browsers to interpret files as a different kind than
what is indicated by their extension and/or content-type. Capabilities
for plugging such filters/classifiers into Squid will eventualy come,
but is not planned for Squid-2.5. However, the combination or URL and
Content-type blocking will surely be able trap most attacks as seen of
today.

Regards
Henrik Nordström
Squid Hacker

Brian M Dial wrote:
>
> With the nimda virus semi-behind now, I'm looking at a way of protecting
> from something like this in the future. The only thought I've had so
> far is a way of filtering out executables from being downloaded from the
> web.
>
> I've looked at some threads similar to this in the logs but I have some
> questions. Is there any better way then using a url pattern match to
> handle this? I know I can use url_regex \.eml or \.exe or any
> executable but is this the right way to be doing it? I've noticed that
> since I used it to filter .exe, I've had a few problem with people
> browsing sites that use .exe for their cgi extension and squid will deny
> the client even though it's not trying to download it.
>
> Is using url_regex based acl's really the best way to be doing this?
>
> Thanks for any input,
>
> -Brian
>
> --
> Brian M Dial
> UNIX Systems Administrator
> Rummel, Klepper & Kahl, LLP
> Phone: 410.728.2900 x1329
> Cell: 410.598.0742
> http://www.rkkengineers.com
Received on Tue Sep 25 2001 - 16:41:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:29 MST