by November 2, 2007 0 comments

Firekeeper is an add-on IDS/IPS for Mozilla Firefox browser, which detects,
warns and blocks malicious websites. It scans all incoming traffic including
URLs, headers, and body of a webpage to detect browser-based attacks. For
compressed, encrypted or secure traffic (i.e. HTTPS), it scans after
decompressing or decrypting it. Firekeeper scans HTTP traffic and tries to look
for patterns of browser based attacks against a set of rules. The rules for
malwares and exploits are set by default, and you can also easily create custom
rules for detecting threats as well. They are based on the well-known IDS,
Snort. Whenever a threat is detected, Firekeeper displays its full description
like its URL, and online references related to it as an alert. Further, it also
asks the user where to keep this URL, and what action to take on it.

Direct Hit!
Applies To:
Firefox users
Price: Free
USP: Harden Firefox against browser based attacks
Primary Link:
Google Keywords:
Firekeeper, browser-based IDS/IPS

Installing this add-on is simple. Just download the firekeeper.xpi from the
URL mentioned in the Direct Hit box, and Firefox will automatically install it.
After installation restart the browser, and you can see the icon for Firekeeper
on the extreme right corner of the status bar. Now, as you surf the Web and a
website attacks your machine, this add-on will immediately display an alert and
prompt you to take action. You can take any of the four actions: blacklist,
white list, block once and allow once.

Firekeeper rules are made of two parts: Rule header and Rule options. The
header defines three actions that can be taken whenever a rule match is
detected: pass, drop, and alert. Whenever a ‘pass’ action rule match occurs, it
allows processing of HTTP traffic without going for any further checks.
Likewise, ‘drop’ action blocks all traffic without any user intervention, and
‘alert’ generates an Alert window.

The Rule options describe what should trigger an action and other information
about the rule. There are three choices: url_content, headers_content, and
body_content. Creating a rule is simple. open a text file and write

alert(msg: attack detected body_content:"clsid|3A";

In the body_content tag specify the content that you want to scan in the
incoming traffic, and in the msg tag define the message that should be displayed
when such content is detected. nocase tag signifies that the content specified
in the body_content tag will be searched without any arguments.

Whenever the traffic matches a
rule, a pop-up window is
displayed and user is asked to choose an action to take
After a threat is detected, you
can view the Triggered rule and response HTTP headers of the URL in hex or
text modes

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.