Very interesting project.

Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content.

http://firekeeper.mozdev.org/
http://firekeeper.mozdev.org/screenshots.html



Edited 1 time(s). Last edit at 03/08/2007 02:20PM by blad3.

Have you tried it at all? Is it fast? I'm always worried about these sorts of things destroying performance, since they have to do pretty intensive things.

- RSnake
Gotta love it. http://ha.ckers.org

I installed it and noticed some problems right away. Some sites would not load, and you had to either click on a link again, or select your bookmarks again. This of course is the least of my problems.. since I installed it, I can't see any youtube videos.. it gets stuck on 'loading'.. the error console just shows some css errors.. guess I'll have to uninstall-reinstall.. bleah..

--thrill

Yah, I just tried it and the very first thing that happened upon clicking on their test page and then following the first link I tried to close the alert window several times and boom... 100% cpu spike and browser crash. :-/

- RSnake
Gotta love it. http://ha.ckers.org

Yeah, the project is not very mature.
I liked the idea, though. And IDS+IPS for Firefox.

Nice is though that you can utilize the tool as an XSS test helper - no need for manual sourcecode checking after an injection with rules like this:

alert (msg:”Possible HTML Injection detected!”; body_content:”<xss>“;)
alert (msg:”Possible XSS detected!”; body_content:”>alert(”;)
alert (msg:”Possible XSS detected!”; body_content:”>document.write(”;)
alert (msg:”Possible XSS detected!”; body_content:”>document.body.innerHTML =”;)

I didn't see this thread. I commented on Firekeeper in another forum already, namely that I don't see anything useful coming out of it. If you look at Firekeeper's list of rules, it is mostly vulnerabilities in Internet Explorer and plugins. There is little point in looking for Internet Explorer exploits from Firefox of course, but same goes for plugin vulnerabilities - Firekeeper only attaches to the traffic of the browser, it cannot filter the data plugins load!

There is more. The list of rules is compiled from published vulnerabilities. Now if a critical vulnerability in Firefox is published it is mostly after it has been fixed. If it hasn't been fixed yet it will be fixed soon, two weeks at most. For Firekeeper to be useful it needs to get a rules update significantly faster than a new Firefox version is released - otherwise keeping your browser updated will work just as well (but far less annoying). And the new rule should be general enough to catch at least small variation of the attack (the rules I have seen aren't).

I have seen only one general rule in Firekeeper - "document.domain". Good luck with that. I disabled tried to disable document.domain via CAPS and it broke several major sites (that was my intention, I wanted to find out who used it). Mind you, I only disabled setting this property while Firekeeper will be triggered by any reference to it - even if it is only a documentation text.