Sign in with
Sign up | Sign in
Your question

Netscreen Malicious URL - how to?

Last response: in Networking
Share
Anonymous
May 22, 2004 1:41:28 PM

Archived from groups: comp.security.firewalls (More info?)

I am having difficulties setting a user defined
malicious url entry for a Netscreen 5 series
firewall appliance.

No problems making the entries, have some working
just fine, or seems so. However, I am having problems
with an URL which contains a tilde ~ in the URL address.

An example "pretend" firewall entry,

GET /~USERNAME/SOMEPAGE.HTML

My firewall would show an entry,

User defined URL Protection: On
id: TEST, pattern: GET /~USERNAME/SOMEPAGE.HTML, length: 28


I have also tried this with URL encoded %7e to replace the tilde,

User defined URL Protection: On
id: TEST, pattern: GET /~USERNAME/SOMEPAGE.HTML, length: 28
id: TEST2, pattern: GET /%7EUSERNAME/SOMEPAGE.HTML, length: 30


Anyone have any thoughts on why Netscreen cannot capture
those pattern matches? Is it the ~ tilde causing problems?

Those entries do work for both inbound and outbound, correct?
There are no notes on this inbound versus outbound. Otherwords,
if somebody out on the internet requests that specific URL
on our server, it would be blocked? Does this need to be
linked to the "untrusted" side policy?

I have tested those types of entries by connecting to an
external proxy server then coming back into our server.
Darn if I don't pass right on through!

All comments, regardless of how seemingly unimportant,
are greatly appreciated. I have been researching this
for several weeks and cannot turn up a single reference
source which addresses this _specific_ problem. I have
tons of pdf files for Netscreen, have spent hours going
through them, but nada! Netscreen, which is now another
company, no longer offers support for older products.

Your input is greatly valued!

Thanks,

Purl Gurl
Anonymous
May 23, 2004 3:36:56 AM

Archived from groups: comp.security.firewalls (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yeah, that is a known issue with the tilde. The way you can work around it
though is to make a DNS based policy. Let's take geocities.com as an
example:

Put the domain in your Address Book:
set address "Untrust" "TEST" geocities.com

Then position the policy for incoming, outgoing, or both:
set policy id 40 from "Trust" to "Untrust" "InternalLAN" "AddressBookNAME"
"ANY" Deny log no-session-backup
set policy id 41 from "Untrust" to "Trust" "AddressBookNAME" "InternalLAN"
"ANY" Deny log no-session-backup

The only drawback is the blocking of an entire domain but, better safe than
sorry...

- -Scott


"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40AF82B7.45A6A2A2@purlgurl.net...
> I am having difficulties setting a user defined
> malicious url entry for a Netscreen 5 series
> firewall appliance.
>
> No problems making the entries, have some working
> just fine, or seems so. However, I am having problems
> with an URL which contains a tilde ~ in the URL address.
>
> An example "pretend" firewall entry,
>
> GET /~USERNAME/SOMEPAGE.HTML
>
> My firewall would show an entry,
>
> User defined URL Protection: On
> id: TEST, pattern: GET /~USERNAME/SOMEPAGE.HTML, length: 28
>
>
> I have also tried this with URL encoded %7e to replace the tilde,
>
> User defined URL Protection: On
> id: TEST, pattern: GET /~USERNAME/SOMEPAGE.HTML, length: 28
> id: TEST2, pattern: GET /%7EUSERNAME/SOMEPAGE.HTML, length: 30
>
>
> Anyone have any thoughts on why Netscreen cannot capture
> those pattern matches? Is it the ~ tilde causing problems?
>
> Those entries do work for both inbound and outbound, correct?
> There are no notes on this inbound versus outbound. Otherwords,
> if somebody out on the internet requests that specific URL
> on our server, it would be blocked? Does this need to be
> linked to the "untrusted" side policy?
>
> I have tested those types of entries by connecting to an
> external proxy server then coming back into our server.
> Darn if I don't pass right on through!
>
> All comments, regardless of how seemingly unimportant,
> are greatly appreciated. I have been researching this
> for several weeks and cannot turn up a single reference
> source which addresses this _specific_ problem. I have
> tons of pdf files for Netscreen, have spent hours going
> through them, but nada! Netscreen, which is now another
> company, no longer offers support for older products.
>
> Your input is greatly valued!
>
> Thanks,
>
> Purl Gurl
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com&gt;

iQA/AwUBQK/j8OAH+KdEQeVvEQItugCdHaErQz74yf0cjfOEXKwliNrXsg8AnAj0
1lYdDXw6pRQcuifgXL8j0wbl
=eXmv
-----END PGP SIGNATURE-----
Anonymous
May 23, 2004 3:36:57 AM

Archived from groups: comp.security.firewalls (More info?)

SA wrote:

> Purl Gurl wrote:

(snipped)

> > I am having difficulties setting a user defined
> > malicious url entry for a Netscreen 5 series
> > firewall appliance.

> > No problems making the entries, have some working
> > just fine, or seems so. However, I am having problems
> > with an URL which contains a tilde ~ in the URL address.

> > An example "pretend" firewall entry,

> > GET /~USERNAME/SOMEPAGE.HTML


> Yeah, that is a known issue with the tilde. The way you can work around it
> though is to make a DNS based policy. Let's take geocities.com as an
> example:

> Put the domain in your Address Book:
> set address "Untrust" "TEST" geocities.com


Thanks, Scott. I suspected something is not quite right.

I ran comparative tests, one without a tilde, one with a tilde.
The tilde syntax did not appear to be working. On tech issues
like this I always question if this is something I am doing
wrong. Never could find any reference sources on the tilde
syntax, nothing at the Juniper/Netscreen site. Last resort is
to post with a hope another has experienced this.

This is not a major problem. No security risks for my
circumstances, more of an annoyance actually. Surprises
me Netscreen did not think of this tilde URL shortcut,
as this is used a lot.

Thanks again, my thoughts are validated.


Purl Gurl
Related resources
Anonymous
May 23, 2004 4:11:54 AM

Archived from groups: comp.security.firewalls (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You also may want to try posting over at www.netscreenforum.com I've found
loads of info there.

- -Scott

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40AFEBE7.E882FDCF@purlgurl.net...
> SA wrote:
>
> > Purl Gurl wrote:
>
> (snipped)
>
> > > I am having difficulties setting a user defined
> > > malicious url entry for a Netscreen 5 series
> > > firewall appliance.
>
> > > No problems making the entries, have some working
> > > just fine, or seems so. However, I am having problems
> > > with an URL which contains a tilde ~ in the URL address.
>
> > > An example "pretend" firewall entry,
>
> > > GET /~USERNAME/SOMEPAGE.HTML
>
>
> > Yeah, that is a known issue with the tilde. The way you can work around
it
> > though is to make a DNS based policy. Let's take geocities.com as an
> > example:
>
> > Put the domain in your Address Book:
> > set address "Untrust" "TEST" geocities.com
>
>
> Thanks, Scott. I suspected something is not quite right.
>
> I ran comparative tests, one without a tilde, one with a tilde.
> The tilde syntax did not appear to be working. On tech issues
> like this I always question if this is something I am doing
> wrong. Never could find any reference sources on the tilde
> syntax, nothing at the Juniper/Netscreen site. Last resort is
> to post with a hope another has experienced this.
>
> This is not a major problem. No security risks for my
> circumstances, more of an annoyance actually. Surprises
> me Netscreen did not think of this tilde URL shortcut,
> as this is used a lot.
>
> Thanks again, my thoughts are validated.
>
>
> Purl Gurl
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com&gt;

iQA/AwUBQK/sPOAH+KdEQeVvEQI5sQCdHF9GTlyVwcXTTPG4NBiaqDGR5DQAoPFF
d6/tcgeEBD66mqbRksZ4Ym17
=GlwK
-----END PGP SIGNATURE-----
Anonymous
May 23, 2004 4:11:55 AM

Archived from groups: comp.security.firewalls (More info?)

SA wrote:

> Purl Gurl wrote:

(snipped)

> > Never could find any reference sources on the tilde
> > syntax, nothing at the Juniper/Netscreen site.

> You also may want to try posting over at www.netscreenforum.com I've found
> loads of info there.

Thanks Scott! Never came across this during research.
I am there now and looks there is a lot of information.
No doubt I will learn a lot! If I don't find anything
related, I will register and post.

I am only a few weeks into using a Netscreen box. Just
bought it through Ebay. Been researching firewall boxes
for months and have tons of information on many different
types. Final decision is Netscreen is best for our needs.


Purl Gurl
Anonymous
May 23, 2004 1:01:12 PM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

(snipped)

> I am having difficulties setting a user defined
> malicious url entry for a Netscreen 5 series
> firewall appliance.

> An example "pretend" firewall entry,

> GET /~USERNAME/SOMEPAGE.HTML

> Anyone have any thoughts on why Netscreen cannot capture
> those pattern matches? Is it the ~ tilde causing problems?

Some additional information on this which is pleasing.

First, my thanks to Scott for his feedback and for
pointing me to the Netscreen discussion forum. There,
I was and am able to gleen a lot of great information.
Actually found two references to malicious URL usage.

Use of a tilde with Netscreen does work. Initially,
this did not appear true because of flawed testing.

My testing was flawed because I forgot many public proxy
servers are caching servers. Initally, I tested access
to my tilde type URL through a proxy server _without_
a Netscreen entry to verify access. This was accomplished.

Next, I made my Netscreen entry to block access to this
URL with a tilde in the path. I was able to access this
tilde path, no problems. I made an assumption use of
a tilde is not recognized by Netscreen.

What truly happened is the proxy server I used for external
access to avoid local LAN access, uses a cache. Access is
and was denied by Netscreen so the proxy server provided
a cache copy of the page, or my browser was instructed to
pull up a cache copy. Not sure which; still testing.

Closing my browser, manually deleting all cache files,
using a different proxy, yielded positive results for
a tilde type URL block by Netscreen.

My final result is use of two Netscreen entries. One
with a ASCII tilde, another with a URL encoded tilde.

/~username/somefile.html
/%7Eusernam/somefile.html

However, I have discovered two methods to defeat those
Netscreen entries. One method is well documented for
older Netscreen operating systems and is a very difficult
method to employ.

The other method, which is not documented, was stumbled upon
quite by accident, and quite the surprise. However, this method
which is not documented, requires rather odd circumstances,
which are generated by your own server and is a result of
server internal redirection, which is beyond the scope and
ability of Netscreen and almost all external firewalls.

Be careful how you test your methods and assumptions!
Clearly I became caught up in assumptions based upon
forgetting how many proxy servers behave and forgetting
a browser cache will load, in lieu of an error message
caused by a lack of http protocol via some proxy servers.

Always test your methods and always test your assumptions.

* makes a mental note to practice what she preaches *

Bottom line is I was seeing cache copies without realizing
nor being alerted my access was, in fact, being blocked.

A closing thought, once this article hits the newswire,
Murphy's Law will be invoked and prove me the fool much
to the embarrassment of my ego.

Appreciation is again extended to Scott for providing a
link to wonderful Netscreen information resources.

Purl Gurl - waiting for Murphy to walk in.
!