12 January 2007 Changes (HHH) ----------------------------- 1. Action: allowed all akamai.net servers through Added: GoodDomains[i++] = ".akamai.net"; Reason: a1791.g.akamai.net (clear back in September) In reality, since these people are twerps that WILL host porn and other crap I am not altogether kindly disposed but people MAY be missing some things they need. 69 17_Parts.txt 37 17_Starts_and_Ends.txt 109 17_Passed_All_Rules.txt --------------------------- 215 total 776 18_Parts.txt 218 18_Starts_and_Ends.txt 929 18_Passed_All_Rules.txt ---------------------------- 1923 total See the UNresolved false positives below. We may be able to dump the "17" rule, but we can NOT dump the "18" rule. The problem is, everything I have found that the "17" rule causes problems for, so does the "18" rule. 2. Action: Full debug debug all From: var debugAll = debugGeneral | debugShowPass | debugShowFail | debugRegxGen | debugModURL; To: var debugAll = debugGeneral | debugShowPass | debugShowFail | debugRegxGen | debugModURL | debugShowIP; Reason: May as well have them all 3. Action: allow the free-av.com site access Added: GoodDomains[i++] = ".free-av.com"; Reason: Source of free AntiVir Anti-Virus program 4. Action: Added rule for AntiVir AntiVirus program Added: GoodDomains[i++] = ".avgate.net"; Reason: d17.avgate.net, d18.avgate.net They also had *.antivir-pe.de and antivir.de but I couldn't see anything there that could cause problems. On that subject, I have yet to see problems for Symantec NAV, and Danny never said anything about McAfee. 5. Action: Added a rule for "chik" Added: BadURL_Parts[i++] = "chik"; Reason: onlyfatchiks.com Do NOT go there. They do more than just porn. They WILL use browser exploits. 6. Action: Downgraded "cheerlead" rule From: BadURL_Parts[i++] = "cheerlead"; To: BadHostParts[i++] = "cheerlead"; Reason: Just wait until March madness comes around again and then get back to me on this one. 7. Action: Altered licensing From: Ours - proprietary To: GNU Reason: Eric is involved again so why not? 12 January 2007 UNresolved False Positives (HHH) ------------------------------------------------ 1. Pattern: "exposed" Rules: BadURL_Parts[i++] = "exposed"; Reason: www.hackinglinuxexposed.com/articles/20031231.html 96 expos_Parts.txt 70 expos_Starts_and_Ends.txt 92 expos_Passed_All_Rules.txt ------------------------------ 258 total 47 of the 92 passing are exposed, the others are exposure, expose, and some variations of sexpost. Downgrading the rule does NOTHING. In fact I am thinking of shortening it to "expose" where it is usually used in the French pronunciation of eks-po-zay 2. Pattern: "hard" Rules: BadURL_WordStarts[i++]="hard[(b|c|e|p|s)]"; BadURL_WordEnds[i++]="[^cs]hard"; // Changed from "hard" to "[^cs]hard" Reason: digg.com/security/Marcus_Ranum_on_hard_disk_encryption So far this is the ONLY one I have encountered 3. Pattern: "lips" Rules: BadHostWordStarts[i++]="lips"; BadURL_WordEnds[i++]="[^c]lips"; Reason: creativosparc.ads.uigc.net/RealMedia/ads/Creatives/\ OasDefault/BR_20061201_BUSCAPE-BOND/br_20061201_\ buscape-bond-BP-hometheaterphilips_pop.gif My initial hunch is to just downgrade the rules. The pattern is too short. 4. Pattern: "hot" Rules: BadURL_WordEnds[i++]="[^s]hot"; // Changed from "hot" to "[^s]hot" Reason: creativosparc.ads.uigc.net/RealMedia/ads/Creatives/\ OasDefault/BR_20060130_PRIMA_UBBI-ENCONTROS/br_\ 20060912_ubbi-encontros-perfilhot_super.gif My initial hunch is to just downgrade the rule. The pattern is too short. 12 January 2007 RESOLVED False Positives (HHH) ---------------------------------------------- 1. Pattern: "17" Rules: BadHostParts[i++] = "17"; Reason: The pattern was found in one of the akamai.net servers 69 17_Parts.txt 37 17_Starts_and_Ends.txt 109 17_Passed_All_Rules.txt --------------------------- 215 total This is perhaps possible to stop all of these using just host file entries. There IS a possibility a few new ones will dribble through. I already established a LONG time ago that we can NOT stop a pattern like this in the entire URL. The false positives would be ENORMOUS! In a host name we are getting diminished returns, and download17.avast.com and who knows how many akamai.net servers. I suggest that when we hit a count of a half dozen or so false positives in domains that had to be entered into the GoodDomains that it is time to scrap the rule. On the other hand, the "18" rule MUST be retained. BUT the domains affected by the "17" rule are also affected by the "18" Solution: GoodDomains[i++] = ".akamai.net"; This is NOT a complete solution. We are probably going to have to drop the "17" rule. We can NOT drop the "18" rule. We are going to have to live with it.