Intrusion detection for the browser

Websites with malicious content are a growing problem, so tools to detect this content and alert the user to its presence are quite welcome. A plugin for Firefox called Firekeeper uses the ideas behind intrusion detection systems (IDS) and applies them to web traffic. Firekeeper uses some of the rule syntax and pattern matching code from Snort, the venerable open source IDS, providing it with a solid foundation.

As with any IDS, the basic function of Firekeeper is to inspect the traffic that it sees, applying some pattern matching smarts and a set of rules to determine what actions it takes. The possible actions are to alert the user and allow them to decide what to do, stop processing the HTTP response without user interaction or to accept and continue processing, also without consulting the user. Alert rules can also provide extra information that will be displayed with the alert in order to help the user make an informed decision about what action to take. This information can take the form of text strings to describe the content as well as references to URLs, CVE entries and Bugtraq IDs potentially giving the user a wealth of descriptive information.

Firekeeper can do pattern matching on three different parts of the HTTP or HTTPS response: the URL, headers and body. The simplest form matches literal strings in the various pieces of the response, but there is also a Perl compatible regular expression (regexp) engine that can be applied to each piece as well. The documentation warns of serious performance implications from having too many regexps, especially ones that do not contain a literal rule to narrow the search space; good advice for most applications that use regexps.

Firekeeper can be downloaded from the project site and it installs flawlessly if one is willing to add the site (hosted at mozdev.org) to the list of trusted plugin locations and ignore the unsigned nature of the code. The source is available from the site as well so those with concerns about the security bypasses can build their own version. It comes with a handful of default rules and a test page to try them out as well. Visiting various sites with Firekeeper enabled while working on this article did not noticeably slow down the browser for the author and, other than the tests, did not trigger any rules.

Any IDS is an invasive program and has access to all sorts of information one probably wants to keep private, particularly decrypted network data. This makes IDS programs high profile targets for exploitation. If an attacker can send a packet or series of packets that can subvert the IDS, they can potentially eavesdrop on all network traffic, even encrypted traffic. Because Firekeeper has access to the decrypted HTTPS traffic, there is reason to be concerned that the plugin could be subverted via the same kinds of remotely exploitable vulnerabilities that have impacted Snort, a recent example is here. Firekeeper implements a small subset of the Snort functionality, which should make it less likely, but users of the plugin should be aware of the possibility.

An IDS is only as good as the rules that it uses, and newer exploits (and so-called 0-days) will not yet have rules available, leaving a window of vulnerability. Firekeeper does have provisions for loading rule files from external sites (which, of course, has its own set of security issues) that would help propagate new rules quickly, at least for users who restart their browser frequently.

Firekeeper is certainly not for less technical users and probably never will be. There is too much knowledge and understanding of web protocols and security threats required to understand the alerts and too many false positives to turn the alerts into blocks. And like many security tools and techniques, this is no panacea; it will not stop all browser-targeted attacks, but it does have its uses. An alert that a site has tried to exploit a browser bug, even one that does not affect the browser version being used, is still useful information which can help users to avoid dodgy sites.