Firekeeper project weblog

Using Firekeeper to alert about malware hosting sites

Great news!
Andre D. Correa from Malware Block List project made available testing malware block lists in Firekeeper format. They are available on the project site.

There are two kinds of block list. 'Regular list' triggers a Firekeeper alert when Firefox tries to download a file from a directory that contains malware. 'Aggressive list' triggers the alert for the whole domain, not only single directory.

This lists are automatically updated. You can use Firekeeper feature 'Add remote file' to automatically download the newest version every time Firefox is started.

Please test these lists.

Thanks to Andre for his great work!

0-day ANI vulnerability in Microsoft Windows

Firekeeper can be used to detect sites making use of recently discovered MS ANI file critical vulnerability.

Here is a rule proposed by Alexander Sotirov on bugtraq (put it in a single line):


alert(body_content:"anih|24 00 00 00|";
body_re:"/^RIFF.*anih\x24\x00\x00\x00.*anih(?!\x24\x00\x00\x00)/s";
msg:"possible MS ANI exploit";
reference:url,http://www.determina.com/security.research/vulnerabilities/ani-header.html; 
reference:url,http://isc.sans.org/diary.html?storyid=2534;)

Project news

I haven't wrote for a while but there is a lot of interesting stuff about Firekeeper to announce.

First of all I've spread information about the project on few popular mailing lists (bugtraq, focus on IDS, Snort users mailing list, Mozilla forums). A lot of people learned about Firekeeper, downloaded and tested it. I've got a lot of positive feedback. Mailing list (firekeeper@mozdev.org) at last started to live and now, it is the first place in which project news are posted. So if you want to know the breaking news, please subscribe.

Current release is 0.2.9. There are still some compatibility problems. Few people have reported that Firekeeper didn't load on their machines.

There is also some new stuff to check out on the web page. FAQ and tutorial that shows how to write Firekeeper rules by the example of writing a rule to detect sites using one of the attacks discovered recently by Michal Zalewski.

The thing I'm most excited about, is a possibility of using Firekeeper to warn the user about sites with malware. Andre Correa form the Malware Block List Project is thinking about making available list of sites with malware in Firekeeper format. It would be very cool. I didn't know about Andre's project before, check it out, it's really great. Andre hosts an automatically updated list of malware hosting sites in a lot of formats suitable for popular applications.

Stay tuned for more news.

new release

New Firekeeper is out (0.2.6). There is not much new in terms of functionality, mainly some bugs fixes. Finally there is a decent help written. It is going to be the first more 'official' release, I want to announce it in a few places to draw some attention to a project.

Firekeeper 0.2.4 alpha available

New Firekeeper alpha release is out. Here is list of changes:

Firefox 2.0 compatibility.
Small GUI improvements
Some GLIBC version dependencies removed in Linux release. It should now work on more Linux distros.
A lot of fixed bugs.

It took me much more time than I've planned to make this release. Main reason for it is that I have more work on my university this semester than I've expected. But this is last semester during which I have university courses. From February I'll have a lot of free time and I want to devote large part of it to Firekeeper. Be ready for more updates :)

Autotools deployed

I've deployed Autoconf and Automake for Firekeeper, compilation should be now much more convenient. These tools turned out to be much easier to use than I thought. It's a pity I've wasted so much time writing Makefiles for two platforms instead of using Autotools from the beginning.

New alpha release

I've uploaded new Firekeeper alpha release to MozDev. It greatly improves rule matching algorithm efficiency. To do it I had to extend rule syntax, there are three new options: 'url_content', 'headers_content' and 'body_content'. They have similar syntax to 'content' and 'uricontent' Snort options. As in Snort, it is possible to specify 'nocase' switch after each of these three options. Old 'url', 'body' and 'headers' options are now called 'url_re', 'body_re' and 'headers_re'. *_content rules are matched using Aho & Corasick multi-pattern search engine from Snort. This is very fast algorithm which running time is proportional to the inspected data size, but doesn't depend on a number of patterns that are used. *_re options are only checked when all *_content options match so it is recommended for every rule to have at least one *_content option (the same principal applies to Snort rules).
Below is an example Firekeeper rule:


alert (msg:"Content-Disposition CLSID command attempt";
       headers_content:"Content-Disposition|3A|"; nocase;
       headers_re:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}
                   (-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi";
       reference:bugtraq,9510; reference:cve,2004-0420;
       reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx;
       fid:2589; rev:3;)

Regular expression in this rule is checked only when there is a string 'Content-Disposition:' in headers.

I did also some small GUI improvements in this release. Now I'm working on a documentation (user and development) and I also want to deploy autoconf and automake to simplify building process.

First alpha release

I haven't been posting for a while but I did a lot of improvements in Firekeeper (GUI, tracing decrypted HTTPS connections) and today the first alpha release is out. This release is intended mainly to test if Firekeeper works well on various different systems and to discuss further improvements. I've tested it on Linux, Windows XP and 2000, my main concern is if it works on different Linux distros. I've created a web page with tests that should alert Firekeeper if it works fine.

I want to concentrate now on optimisation of rule matching code to match multiple rules in a single step. Now every rule is applied separately.

Windows build

It took me two days but finally I have Firekeeper working on Windows! I failed to build it using MinGW and I decided to use MSVC (I have version 7.1) - it is recommended by Mozilla developers for Windows builds. I've also installed Cygwin to be able to use Make and other UNIX tools. It is great environment for Windows, makes porting much easier. Last thing left to finish porting Firekeeper to Windows is to clean up Makefiles, they are now quite chaotic.

Firekeeper rules sources

To make rules management handy I implemented a feature to add as many files with rules as user wants. Single file could be just very inconvenient. It is now also possible to specify remote URLs from which Firekeeper downloads rules every time it starts up. If remote location is unreachable Firekeeper uses last rules successfully downloaded from this location. I think it would be wise to allow user to specify what kind of rules Firekeeper can download from remote locations (for example only alert and blacklist rules but not whitelist).

I haven't yet created user interface for this rules management code. I'm now setting up Windows development environment, I don't want to just compile Firekeeper but also to have a debug Mozilla build for Windows. I hope that it won't take longer than one day to have it running, it's quite an irritating job.