URL Filteting question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL Filteting question

L2 Linker

We received an alert about the behavior of the virus.

 

The malicious loader is downloaded from the URL of compromised legitimate sites, where it is disguised as an image.
The URL by which the malicious loader is hosted, all addresses end with the string abc.jpg.

 

The string in the URLs where the encryptor is hosted is:
hxxp://[anything]/abc.jpg

 

I read that "File Blocking" does not block files by masks.

 

Is it possible to block the address by the mask "*/abc.jpg" by creating a Custom URL Category?

If yes, then this category is better to connect to Policies -> URL Category -> Action: Deny
Either in Profiles -> Url Filtering

 

Ready to discuss other options.

 

7 REPLIES 7

L6 Presenter

@aaobuhov wrote:

We received an alert about the behavior of the virus.

 

The malicious loader is downloaded from the URL of compromised legitimate sites, where it is disguised as an image.
The URL by which the malicious loader is hosted, all addresses end with the string abc.jpg.

 

The string in the URLs where the encryptor is hosted is:
hxxp://[anything]/abc.jpg

 

I read that "File Blocking" does not block files by masks.

 

Is it possible to block the address by the mask "*/abc.jpg" by creating a Custom URL Category?

If yes, then this category is better to connect to Policies -> URL Category -> Action: Deny
Either in Profiles -> Url Filtering

 

Ready to discuss other options.

 


 

I'm not 100% sure on what you're saying...

 

Are you saying a legit site his hosting a malicious file which someone is attempting to obfuscate by labelling it as a ".jpg?"  Users click on what they think is an image, when in-fact it's some other malicious file?

 

I'm not certain, but I thought the file-blocking policy actually looks at the file type and not merely the file extension.

 

That said these two scenarios should work:

 

The site isn't an SSL site it should see the URI path and you should be able to add the URL to custom URL category which you can then override and block

 

OR

The site is SSL and you are decrypting the original URL category...The firewall will be able to see the full URI which you can place in a custom URL category, override and block the specific URI.

Thanks for reply.

 

As far as i know, sites are not an SSL, but it is about hundreds of URLs.

Common - file name only.

 

*/abc.jpg - is this part will be enough for URL?

 

>it should see the URI path and you should be able to add the URL to custom URL category which you can then override and block.

You tell about "Profiles -> Url Filtering"?

 


@aaobuhov wrote:

Thanks for reply.

 

As far as i know, sites are not an SSL, but it is about hundreds of URLs.

Common - file name only.

 

*/abc.jpg - is this part will be enough for URL?

 

 


 

* = anything preceeding what comes next   

 

So if the filename is always /abc.jpg and you're wanting to catch randomness ahead of /abc.jpg then yes */abc.jpg would be correct.  I would be warry of thinking this won't potentially catch other legit things you're wanting to allow.

 

 

 


@aaobuhov wrote:

Thanks for reply.

 

 

 

>it should see the URI path and you should be able to add the URL to custom URL category which you can then override and block.

You tell about "Profiles -> Url Filtering"?

 



 Yes security profiles --> URL Filtering, but you'll want to also create a "custom object" --> "URL Category" object set that custom group to a "Deny" in your URL filtering profile.

Tested this feature by downloading a specific pdf file from a non-SSL site.

For a category that includes this site i set - alert.
For Custom URL "*/test.pdf" - block

When accessing a file by link or downloading, the category does not change, there is no lock. Alert in log.

 

For interest added to the Custom URL site:
testsite.com
* .testsite.com
When i access the site, in the logs i see that its category has changed to Custom and access to the site has been blocked.

 

Thus, this solution does not work.

Hi

You could also try adding a custom application.
Objects -> Applications -> Add
In the Configuration screen, make sure to use web-browsing as Parent App and check the Capable of File Transfer
In the Advanced screen, add 'tcp/80' as default port and check 'File Types' & 'Viruses'
In the Signatures screen, add a signature and add one Condition:
Operator: Pattern Match
Context: http-req-uri-path
Pattern: abc\.jpg

You might need to change the scope to session and re-test if it does not work at first.
The premise here is to create a custom application based on web-browsing that will match when the URI (everything after the first slash for any URL/site) regex-matches abc.jpg. After you are successfuly matching (you'll see this application name in the traffic log) then just block this new custom application in policy.

As stated above, this could match other traffic so be aware of this.

If you take a packet-capture you should be able to see more http-headers that might help you narrowing down false positives.

Lastly - rolling back in case of problems is to just disable or delete the new custom application you created.

Hope this helps,
Shai

Thanks, ShaiW. Good idea.

 

Creating a separate application for each file mask seems to me not correct.
Is it possible to make same in Custom Objects -> Vulnerability for this scenario?

 

@aaobuhov,


@aaobuhov wrote:

Thanks, ShaiW. Good idea.

 

Creating a separate application for each file mask seems to me not correct.


So the set extension isn't staying the same then, or what do you mean by file mask? 

 

The issue with trying to help you build a vulnerability signature with a file that has a renamed extension like this is we can't really do it for you without samples to work with. You need to take a packet capture to see if you actually can build a custom vulnerability signature to match what you are looking for; can a vulnerability signature be built to detect this, absolutely, but we would need a few examples to actually work with. 

  • 5239 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!