Malicious URL Protection
Enable malicious URL protection on a security device to drop incoming HTTP packets that reference URLs with specific user-defined patterns. You can define up to 48 malicious URL string patterns per zone, each of which can be up to 64 characters long, for malicious URL protection at the zone level. When the malicious URL blocking feature is selected, the security device examines the data payload of all HTTP packets. If it locates a URL and detects that the beginning of its string—up to a specified number of characters—matches the pattern you defined, the device blocks that packet from passing the firewall.
A resourceful attacker, realizing that the string is known and might be guarded against, can deliberately fragment the IP packets or TCP segments to make the pattern unrecognizable during a packet-by-packet inspection. However, security devices use Fragment Reassembly to buffer fragments in a queue, reassemble them into a complete packet, and then inspect that packet for a malicious URL. Depending on the results of this reassembly process and subsequent inspection, the device performs one of the following steps:
If the device discovers a malicious URL, it drops the packet and enters the event in the log.
If the device cannot complete the reassembly process, a time limit is imposed to age out and discard fragments.
If the device determines that the URL is not malicious but the reassembled packet is too big to forward, the device fragments that packet into multiple packets and forwards them.
If the device determines that the URL is not malicious and does not need to fragment it, it then forwards the packet.
To configure a malicious URL string, you must specify the following properties:
Malicious URL ID—Enter the ID that you want to use to identify the URL string.
HTTP Header Pattern—Enter the malicious URL string (also called a pattern) that you want the security device to match.
Minimum Length Before CRLF—Enter the number of characters in the URL string (pattern) that must be present in a URL—starting from the first character—for a positive match (not every character is required for a match). CRLF represents “carriage return/line feed” ; HTTP uses a CR or LF character to mark the end of a code segment.
For more information about malicious URLs on security devices, refer to the Concepts & Examples ScreenOS Reference Guide: Attack Detection and Defense Mechanisms.