Firekeeper is an add-on IDS/IPS for Mozilla Firefox browser, which detects, warns and blocks malicious websites, It scans all incoming traffic including URLs, headers, and body of a webpage to detect browser-based attacks. For compressed. encrypted or secure traffic (Le. HTTPS), it scans after decompress¬ing or decrypting it. Firekeeper scans HTTPtrafficand tries to look for patterns of browser based attacks against a set of rules. The rules for malwares and exploits are set by default, and you can also easily create custom rules for detecting threats as well. They are based on the well-known IDS, Snort. Whenever a threat is detected, Firekeeper displays its full description like its URL. and online references related to it as an alert. Further. it also asks the user where to keep this URL, and what action to take on it.

Installing this add-on is simple. Just download the firekeeper.xpi from the URL mentioned in the Direct Hit box, and Firefox will automatically install it. After installation restart the browser, and you can see the icon for Firekeeper on the extreme right corner of the status bar. Now, as you surf the Web and a website attacks your machine. this add-on will immediately display an alert and prompt you to take a.ction. You can take any of the four actions: blacklist. white list. block once and allow once.

Firekeeper rules are made of two parts: Rule header and Rule options. The header defines three actions that can be taken when¬ever a rule match is detected: pass. drop, and alert. Whenever a 'pass' action rule match occurs, it allows processing of HTTP traf¬flc without going for any further checks. Likewise, 'drop' action blocks all traffic without any user intervention. and 'alert' gener¬ates an Alert window.
The Rule options describe what should trigger an action and other information about the rule. There are three choices: url_content, headers_content, and body_content. Creating a rule is simple. open a text llle and write

alert( msg: attack detected body_content:" clsid 13A"; nocase
In the body Jontent tag specify the content that you want to scan in the incoming traffic. and in the msg tag define the message that should be displayed when such content is detected.nocase tag signifies that the content specified in the body_content tag will be searched without any arguments.

Name: 8469.jpg Views: 55 Size: 30.7 KB