topic Re: URL Filteting question in General Topics

URL Filteting question

aaobuhov — Wed, 30 Jan 2019 10:56:00 GMT

We received an alert about the behavior of the virus.

The malicious loader is downloaded from the URL of compromised legitimate sites, where it is disguised as an image.
The URL by which the malicious loader is hosted, all addresses end with the string abc.jpg.

The string in the URLs where the encryptor is hosted is:
hxxp://[anything]/abc.jpg

I read that "File Blocking" does not block files by masks.

Is it possible to block the address by the mask "*/abc.jpg" by creating a Custom URL Category?

If yes, then this category is better to connect to Policies -> URL Category -> Action: Deny
Either in Profiles -> Url Filtering

Ready to discuss other options.

Re: URL Filteting question

Brandon_Wertz — Wed, 30 Jan 2019 13:08:00 GMT

@aaobuhov wrote:
We received an alert about the behavior of the virus.

The malicious loader is downloaded from the URL of compromised legitimate sites, where it is disguised as an image.
The URL by which the malicious loader is hosted, all addresses end with the string abc.jpg.

The string in the URLs where the encryptor is hosted is:
hxxp://[anything]/abc.jpg

I read that "File Blocking" does not block files by masks.

Is it possible to block the address by the mask "*/abc.jpg" by creating a Custom URL Category?
If yes, then this category is better to connect to Policies -> URL Category -> Action: Deny
Either in Profiles -> Url Filtering

Ready to discuss other options.

I'm not 100% sure on what you're saying...

Are you saying a legit site his hosting a malicious file which someone is attempting to obfuscate by labelling it as a ".jpg?" Users click on what they think is an image, when in-fact it's some other malicious file?

I'm not certain, but I thought the file-blocking policy actually looks at the file type and not merely the file extension.

That said these two scenarios should work:

The site isn't an SSL site it should see the URI path and you should be able to add the URL to custom URL category which you can then override and block

The site is SSL and you are decrypting the original URL category...The firewall will be able to see the full URI which you can place in a custom URL category, override and block the specific URI.

Re: URL Filteting question

aaobuhov — Wed, 30 Jan 2019 13:37:44 GMT

Thanks for reply.

As far as i know, sites are not an SSL, but it is about hundreds of URLs.

Common - file name only.

*/abc.jpg - is this part will be enough for URL?

>it should see the URI path and you should be able to add the URL to custom URL category which you can then override and block.

You tell about "Profiles -> Url Filtering"?

Re: URL Filteting question

Brandon_Wertz — Wed, 30 Jan 2019 13:57:35 GMT

@aaobuhov wrote:
Thanks for reply.

As far as i know, sites are not an SSL, but it is about hundreds of URLs.
Common - file name only.

*/abc.jpg - is this part will be enough for URL?

* = anything preceeding what comes next

So if the filename is always /abc.jpg and you're wanting to catch randomness ahead of /abc.jpg then yes */abc.jpg would be correct. I would be warry of thinking this won't potentially catch other legit things you're wanting to allow.

@aaobuhov wrote:
Thanks for reply.

>it should see the URI path and you should be able to add the URL to custom URL category which you can then override and block.
You tell about "Profiles -> Url Filtering"?

Yes security profiles --> URL Filtering, but you'll want to also create a "custom object" --> "URL Category" object set that custom group to a "Deny" in your URL filtering profile.

Re: URL Filteting question

aaobuhov — Thu, 31 Jan 2019 07:32:26 GMT

Tested this feature by downloading a specific pdf file from a non-SSL site.

For a category that includes this site i set - alert.
For Custom URL "*/test.pdf" - block

When accessing a file by link or downloading, the category does not change, there is no lock. Alert in log.

For interest added to the Custom URL site:
testsite.com
* .testsite.com
When i access the site, in the logs i see that its category has changed to Custom and access to the site has been blocked.

Thus, this solution does not work.

Re: URL Filteting question

ShaiW — Thu, 31 Jan 2019 08:43:35 GMT

You could also try adding a custom application.
Objects -> Applications -> Add
In the Configuration screen, make sure to use web-browsing as Parent App and check the Capable of File Transfer
In the Advanced screen, add 'tcp/80' as default port and check 'File Types' & 'Viruses'
In the Signatures screen, add a signature and add one Condition:
Operator: Pattern Match
Context: http-req-uri-path
Pattern: abc\.jpg

You might need to change the scope to session and re-test if it does not work at first.
The premise here is to create a custom application based on web-browsing that will match when the URI (everything after the first slash for any URL/site) regex-matches abc.jpg. After you are successfuly matching (you'll see this application name in the traffic log) then just block this new custom application in policy.

As stated above, this could match other traffic so be aware of this.

If you take a packet-capture you should be able to see more http-headers that might help you narrowing down false positives.

Lastly - rolling back in case of problems is to just disable or delete the new custom application you created.

Hope this helps,
Shai

Re: URL Filteting question

aaobuhov — Thu, 31 Jan 2019 09:19:21 GMT

Thanks, ShaiW. Good idea.

Creating a separate application for each file mask seems to me not correct.
Is it possible to make same in Custom Objects -> Vulnerability for this scenario?

Re: URL Filteting question

BPry — Fri, 01 Feb 2019 03:14:06 GMT

@aaobuhov,

@aaobuhov wrote:
Thanks, ShaiW. Good idea.

Creating a separate application for each file mask seems to me not correct.

So the set extension isn't staying the same then, or what do you mean by file mask?

The issue with trying to help you build a vulnerability signature with a file that has a renamed extension like this is we can't really do it for you without samples to work with. You need to take a packet capture to see if you actually can build a custom vulnerability signature to match what you are looking for; can a vulnerability signature be built to detect this, absolutely, but we would need a few examples to actually work with.