topic Re: Block known bad TLDs? in General Topics

Block known bad TLDs?

grumpycat — Wed, 02 Sep 2015 13:22:29 GMT

My CISO want's to block known bad TLDs (such as .zip or .review) in our Palo. I know how to block specific url(s), but is there any way to block an entire TLD?

I'm running into issues blocking *.zip since it will also block legitimate URL traffic that has *.zip* in its URL.

Re: Block known bad TLDs?

mvidic — Wed, 02 Sep 2015 13:49:16 GMT

You could try to define custom applications using regex signatures for http GET requests and block those applications in the security rulebase.

Re: Block known bad TLDs?

Lucky — Wed, 02 Sep 2015 18:06:03 GMT

Hi Grumpycat, welcome,

did you try blocking *.zip/ with the slash at the end? If that does not work, you might as well either accept false positives (and act upon them manually by allowing custom URLs reported to you in a separate whitelist) or trust to the other defensive mechanisms of firewall (vulnerabilities and threats protection, etc) and create separate custom category for any *.zip and set action to it as "continue", with fair warning to the users that they might be visiting malicious domain and to take extra caution...

Or, to alter suggestion by mvidic, try to play with regex, apps and custom signatures and try to allow certain longer urls that contain .zip in the URL (downloads of zip files...?) but I can't wrap my head around the fact that you want to block .zip but don't want to block it at the same time, can you share offending urls as examples so we can take a look at them perhaps?

Regards

Luciano

Re: Block known bad TLDs?

BenjAudy.MTL — Wed, 02 Sep 2015 18:33:23 GMT

Hi,

I just tried with the ".how" TLD and it blocks correctly with the filter "*.how/".

Benjamin

Re: Block known bad TLDs?

Lucky — Wed, 02 Sep 2015 18:38:45 GMT

Hi Benjamin,

FWIW - I think OPs problem was that *.zip filter caught more than they bargained for (it was also blocking any zip file download, I assume) 🙂 I am not sure how their specific .zip download URL was looking like.... all those download links are doing weird things with redirections and stuff, just to force-feed you more ads, maybe it was http://whatever.domain/some_file.zip/than_page_with_ads/something.html 🙂

Thanks for the quick test, tho, everyone appreciates some concrete and quick help.

Regards

Re: Block known bad TLDs?

BenjAudy.MTL — Wed, 02 Sep 2015 19:02:55 GMT

Actually, I tried the URL "http://www.howstuffworks.com/a.how" and the firewall doesn't block the request, so the filter seems to do what the OP wanted.

Regards,

Benjamin

Re: Block known bad TLDs?

grumpycat — Thu, 03 Sep 2015 17:17:44 GMT

I have not, but I will definitely try. Thanks for the suggestion!

Re: Block known bad TLDs?

grumpycat — Thu, 03 Sep 2015 17:30:24 GMT

Exactly. Here's a good example of the situation that I ran into when I tried to block ".zip/".

I tested downloading FileZilla at 'sourceforge.net/projects/filezilla/files/FileZilla_Client/3.13.1/FileZilla_3.13.1_win32.zip/download?nowrap'

Looking in my Palo, this URL was blocked. I've also opened up a Palo support case to see if an engineer has any recommendations. Who knows, this may end up as a feature request. 🙂

Re: Block known bad TLDs?

BenjAudy.MTL — Thu, 03 Sep 2015 17:57:12 GMT

Which version of Pan-OS are you using? It works properly on my firewall (v6.1.6) :

Benjamin

Re: Block known bad TLDs?

grumpycat — Thu, 03 Sep 2015 18:03:19 GMT

I'm running 6.1.4. I guess it could be a versioning issue. Let me do some more testing to make sure I didn't flub up on something. I appreciate your ongoing help.

Re: Block known bad TLDs?

Lucky — Fri, 04 Sep 2015 06:54:52 GMT

Hi,

I am not sure how are you going to distinguish between 'something.zip/download?nowrap' and 'sourceforge.net/projects/filezilla/files/FileZilla_Client/3.13.1/FileZilla_3.13.1_win32.zip/download?nowrap'? .... and even something.zip can have subdomains and sub-subdomains, so you can't work around http:// neither....I think that your best guess is still to go with "continue" for this special category, if that matching of .zip/ does not work out 🙂

regards