Re: Question for experts....

[jdow]

On 2011/11/28 19:21, Jason Haar wrote:
Don't have an answer for you, but I can say that the following URL works
under FF-8.0
http://0x12.0x12.0x12.0x12/

(resolves to 18.18.18.18)

However, if you force browsers through a squid proxy, squid-2.6 at least
treats that as borked and won't play with it.

So even proxies are out of step with FF. Don't care if it's "right",
there's no need for any browser to accept crap like that :-(

It's probably "safe" to have a rule to score such urls - except when
they're http://0x12.0x12.com/ or the like!

As it turned out the URI_HEX rule from 3.3.1 (Scientific Linux) fired on
that abomination.

The SARE rule "SARE_HEXOCTDWORD" triggered. It looks like this if you don't
have 72_sare_redirect_post3.0.0.cf installed:
===8<---
# IE url obfuscating bug
uri      SARE_URI_EQUALS 
m{^https?:?[/\\]{0,2}[^/\&?;]{1,100}=(?!(?:..)?$).*$}i
describe SARE_URI_EQUALS          Trying to hide the real URL with IE parsing 
bug
score    SARE_URI_EQUALS          1.666
#stype   SARE_URI_EQUALS          obfu
#ham     SARE_URI_EQUALS          hits source code with strange spacing.

# Not decoded, as we're explicitly searching for the encoded version
# catches all versions of IP obfuscation mentioned here: 
http://www.pc-help.org/obscure.htm
uri      SARE_HEXOCTDWORD 
m{^(?:h|%[46]8)(?:t|%[57]4){2}(?:p|%[57]0)(?:s|%[57]3)?(?::|%3a)?(?:%5c|\\|%2f|/){0,2}(?:(?:(?![@\?/]|%40|).)*(?:\@|%40))*(?!123\.456\.789\.(?:999|012)|(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(?:$|\.(?:2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}(?:[:\?;&/\\]|%3[abf]|%2[6f]|%5[c]|$))(?:(?:%3[0-9]|\d)+|(?:0|%30)(?:x|%[57]8)(?:%3[0-9]|%[46][1-6]|[0-9a-f])+|(?:0|%30)(?:%3[0-7]|[0-7])+)(?:(?:\.|%2e)(?:(?:%3[0-9]|\d)+|(?:0|%30)(?:x|%[57]8)(?:%3[0-9]|%[46][1-6]|[0-9a-f])+|(?:0|%30)(?:%3[0-7]|[0-7])+)){0,3}(?:[:\?;&/\\]|%3[abf]|%2[6f]|%5[c]|$)}i
describe SARE_HEXOCTDWORD         Uses an encoded IP address
score    SARE_HEXOCTDWORD         2.0
#stype   SARE_HEXOCTDWORD         obfu
===8<---

SARE rules seem to make life easier here. I included a second rule, the IE
parsing bug rule.

And as observed the rule COULD have a score equal to the spam threshold without
generating false positives.

In general using these techniques means something is being hidden from the
user. That raises the hairs on the back of my neck a tad when I see it. This
one with the really long "encrypted" tails looked like it was more than simple
drug spam or the like. So the mother hen in me wanted to look out for others
towards whom it might have been targeted.

{^_-}