Firekeeper is an add-on IDS/IPS for Mozilla Firefox browser, which detects, warns and blocks malicious websites. It scans all incoming traffic including URLs, headers, and body of a webpage to detect browser-based attacks. For compressed, encrypted or secure traffic (i.e. HTTPS), it scans after decompressing or decrypting it. Firekeeper scans HTTP traffic and tries to look for patterns of browser based attacks against a set of rules. The rules for malwares and exploits are set by default, and you can also easily create custom rules for detecting threats as well. They are based on the well-known IDS, Snort. Whenever a threat is detected, Firekeeper displays its full description like its URL, and online references related to it as an alert. Further, it also asks the user where to keep this URL, and what action to take on it.
USP: Harden Firefox against browser based attacks
Primary Link: http://firekeeper.mozdev.org/
Google Keywords: Firekeeper, browser-based IDS/IPS
Installing this add-on is simple. Just download the firekeeper.xpi from the URL mentioned in the Direct Hit box, and Firefox will automatically install it. After installation restart the browser, and you can see the icon for Firekeeper on the extreme right corner of the status bar. Now, as you surf the Web and a website attacks your machine, this add-on will immediately display an alert and prompt you to take action. You can take any of the four actions: blacklist, white list, block once and allow once.
Firekeeper rules are made of two parts: Rule header and Rule options. The header defines three actions that can be taken whenever a rule match is detected: pass, drop, and alert. Whenever a 'pass' action rule match occurs, it allows processing of HTTP traffic without going for any further checks. Likewise, 'drop' action blocks all traffic without any user intervention, and 'alert' generates an Alert window.
The Rule options describe what should trigger an action and other information about the rule. There are three choices: url_content, headers_content, and body_content. Creating a rule is simple. open a text file and write
alert(msg: attack detected body_content:"clsid|3A"; nocase;)
In the body_content tag specify the content that you want to scan in the incoming traffic, and in the msg tag define the message that should be displayed when such content is detected. nocase tag signifies that the content specified in the body_content tag will be searched without any arguments.
|Whenever the traffic matches a
rule, a pop-up window is
displayed and user is asked to choose an action to take
|After a threat is detected, you can view the Triggered rule and response HTTP headers of the URL in hex or text modes|