Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Firekeeper
Posted by: blad3
Date: March 08, 2007 02:20PM

Very interesting project.

Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content.

http://firekeeper.mozdev.org/
http://firekeeper.mozdev.org/screenshots.html



Edited 1 time(s). Last edit at 03/08/2007 02:20PM by blad3.

Options: ReplyQuote
Re: Firekeeper
Posted by: rsnake
Date: March 09, 2007 11:48AM

Have you tried it at all? Is it fast? I'm always worried about these sorts of things destroying performance, since they have to do pretty intensive things.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Firekeeper
Posted by: thrill
Date: March 09, 2007 01:21PM

I installed it and noticed some problems right away. Some sites would not load, and you had to either click on a link again, or select your bookmarks again. This of course is the least of my problems.. since I installed it, I can't see any youtube videos.. it gets stuck on 'loading'.. the error console just shows some css errors.. guess I'll have to uninstall-reinstall.. bleah..

--thrill

Options: ReplyQuote
Re: Firekeeper
Posted by: rsnake
Date: March 09, 2007 01:55PM

Yah, I just tried it and the very first thing that happened upon clicking on their test page and then following the first link I tried to close the alert window several times and boom... 100% cpu spike and browser crash. :-/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Firekeeper
Posted by: blad3
Date: March 11, 2007 12:15AM

Yeah, the project is not very mature.
I liked the idea, though. And IDS+IPS for Firefox.

Options: ReplyQuote
Re: Firekeeper
Posted by: Anonymous User
Date: March 13, 2007 07:11AM

Nice is though that you can utilize the tool as an XSS test helper - no need for manual sourcecode checking after an injection with rules like this:

alert (msg:”Possible HTML Injection detected!”; body_content:”<xss>“;)
alert (msg:”Possible XSS detected!”; body_content:”>alert(”;)
alert (msg:”Possible XSS detected!”; body_content:”>document.write(”;)
alert (msg:”Possible XSS detected!”; body_content:”>document.body.innerHTML =”;)

Options: ReplyQuote
Re: Firekeeper
Posted by: trev
Date: March 15, 2007 05:36PM

I didn't see this thread. I commented on Firekeeper in another forum already, namely that I don't see anything useful coming out of it. If you look at Firekeeper's list of rules, it is mostly vulnerabilities in Internet Explorer and plugins. There is little point in looking for Internet Explorer exploits from Firefox of course, but same goes for plugin vulnerabilities - Firekeeper only attaches to the traffic of the browser, it cannot filter the data plugins load!

There is more. The list of rules is compiled from published vulnerabilities. Now if a critical vulnerability in Firefox is published it is mostly after it has been fixed. If it hasn't been fixed yet it will be fixed soon, two weeks at most. For Firekeeper to be useful it needs to get a rules update significantly faster than a new Firefox version is released - otherwise keeping your browser updated will work just as well (but far less annoying). And the new rule should be general enough to catch at least small variation of the attack (the rules I have seen aren't).

I have seen only one general rule in Firekeeper - "document.domain". Good luck with that. I disabled tried to disable document.domain via CAPS and it broke several major sites (that was my intention, I wanted to find out who used it). Mind you, I only disabled setting this property while Firekeeper will be triggered by any reference to it - even if it is only a documentation text.

Options: ReplyQuote


Sorry, only registered users may post in this forum.