Endpoint Protection

 View Only

  • 1.  How to block Content-Disposition via Intrusion Prevention Policies

    Posted Oct 25, 2010 04:53 PM

    I have been trying to find a way to block Content-Disposition using the following.

    using a custom signature:

    rule tcp,dest=(80),msg="PHP Download Block ",content="Content-Disposition"

    When I run a php file

    example: blahblah.com/some  php file.php

    The php file uses Content-Disposition to download an exe to the computer.

    sample code: 

    Content-Disposition: attachment; filename="somefile.exe";

    I would like to key off on the "Content-Disposition" and block the file but the only this that its blocking is if I google search for the word

    Content-Disposition.

    Thanks for the help on this.



  • 2.  RE: How to block Content-Disposition via Intrusion Prevention Policies

    Posted Oct 27, 2010 05:29 PM

    any help on this?  I am sure lots of people will use this if we can get it to work



  • 3.  RE: How to block Content-Disposition via Intrusion Prevention Policies

    Posted Oct 27, 2010 05:32 PM

    Hey TLO,

    I'd love to know the answer to this as well, the downside here is that I don't believe Symantec officially supports technicians assisting in writing custom IPS. That doesn't mean you won't get help here, it just means most of the tech's won't be familiar with how to do it.



  • 4.  RE: How to block Content-Disposition via Intrusion Prevention Policies

    Posted Oct 29, 2010 12:01 PM

    Well how do we go about getting a new signature created to detect hidden  exe downloads via php scripts?



  • 5.  RE: How to block Content-Disposition via Intrusion Prevention Policies