Developer: How to protect FireFox from malware?

How to protect FireFox from malware?

Firekeeper scans all incoming traffic to your browser and uses rules to detect browser based attacks

Swapnil Arora

Tuesday, November 13, 2007

Firekeeper rules are made of two parts: Rule header and Rule options. The header defines three actions that can be taken whenever a rule match is detected: pass, drop, and alert. Whenever a 'pass' action rule match occurs, it allows processing of HTTP traffic without going for any further checks. Likewise, 'drop' action blocks all traffic without any user intervention, and 'alert' generates an Alert window.

The Rule options describe what should trigger an action and other information about the rule. There are three choices: url_content, headers_content, and body_content. Creating a rule is simple. open a text file and write

alert(msg: attack detected body_content:"clsid|3A"; nocase;)

In the body_content tag specify the content that you want to scan in the incoming traffic, and in the msg tag define the message that should be displayed when such content is detected. nocase tag signifies that the content specified in the body_content tag will be searched without any arguments.


Whenever the traffic matches a rule, a pop-up window is displayed and user is asked to choose an action to take	After a threat is detected, you can view the Triggered rule and response HTTP headers of the URL in hex or text modes