filename rule problem

[Matt Kettler]

At 02:31 PM 10/27/2003, Chris wrote:
>Hi,
>
>I'm getting complaints that the filename rules are too restrictive. I
>certainly understand why the rules are in place. The specific rule one of my
>clients has a problem with is the "Attempt to hide real filename extension"
>rule. The particular file that someone sent them was called
>"company.confidential.namechng.plan.doc". Obviously, this completely violates
>Windows filename conventions.
>
>I don't really think killing that rule is a good idea though, because then the
>system would perhaps allow nasty things in.
>
>Anyone had any experience with this?

Yes, I had problems with it too, I would up modifying the double extension
rule into a handful of rules. The default one is just a bit too broad for
my tastes.

For reference the default rule is:
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
hiding     Attempt to hide real filename extension

Which looks for any 3 or 4 character extension that starts with a letter,
followed by any 3 character extension.

1) double 3 char extensions are blocked, but I removed numerics from the
second extension, I don't know of any executable formats used by viruses
that have numbers in them, but know of several that are commonly done with
lots of dots in the filename (ie: .mp3)

deny    \.[a-z][a-z0-9]{2}\s*\.[a-z]{3}$        Found possible filename
hiding     Attempt to hide real filename extension


2) I created several _specific_ 4 character extensions to look for a hidden
3 character after. I was having problems with things like resumes sent to
HR being named "kettler.matt.doc" and being caught, so I did not want a
generic "any 4 character extension" rule. Of course, you could still have
problems with 3 character names like "kettler.joe.doc", but those are less
common. 4-letter is generally more problematic as it gets quite a variety
of surnames as well, ie: "joseph.hill.doc". There's also not very many
4-letter file extensions that are commonly used, so making a list of them
is much easier than making a list of 3 char extensions.

I specifically picked common 4 character extensions which are actually used
and that a user might mistake as being something "safe" if they can't see
the extra extension.

deny    \.text\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.jpeg\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.mpeg\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.pict\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.jiff\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.html\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.tiff\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.vrml\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.conf\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.diff\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.java\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.cert\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension
deny    \.icon\s*\.[a-z]{3}$    Found possible filename
hiding                     Attempt to hide real filename extension