Example: Enabling the Malicious URL Blocking Option (NSM Procedure)

In this example, you define three malicious URL strings and enable the malicious URL blocking option. Then, enable fragment reassembly for the detection of the URLs in fragmented HTTP traffic arriving at an Untrust zone interface.

  1. Add a NetScreen-5GT security device. Choose Model when adding the device and configure the device as running ScreenOS 5.x.
  2. In the device navigation tree, select Network > Zone. Double-click the Untrust zone. The General Properties screen appears.
  3. Select TCP/IP Reassembly for ALG.
  4. In the Zone navigation tree, select Mal-URL. Configure three malicious URL strings:
  1. Click the Add icon to display the new Malicious URL ID dialog box. Configure the following and click OK:
    • For Malicious URL ID, enter Perl.
    • For HTTP Header Pattern, enter scripts/perl.exe.
    • For Minimum Length Before CRLF, enter 14.
  2. Click the Add icon to display the new Malicious URL ID dialog box. Configure the following options, and then click OK:
    • For Malicious URL ID, enter CMF.
    • For HTTP Header Pattern, enter cgi-bin/phf.
    • For Minimum Length Before CRLF, enter 11.
  3. Click the Add icon to display the new Malicious URL ID dialog box. Configure the following options, and then click OK:
    • For Malicious URL ID, enter DLL.
    • For HTTP Header Pattern, enter 210.1.1.5/msadcs.dll.
    • For Minimum Length Before CRLF, enter 18.
    • Click OK to save your changes to the zone, and then click OK again to save the device configuration.

Related Documentation