Limiting File Size Upload using Custom Signature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Limiting File Size Upload using Custom Signature

L1 Bithead

Users in enterprise often use web based file hosting to upload big files. This creates concerns in the usage of networks bandwidth and server storage capacity, as the file can be bigger than 1GB. Below steps are usefull to control file size uploaded to a web server using HTTP Request Content-Length parameter.

 

PAN-OS version: 6.1.0-b43

 

 

  1. Create a custom signature vulnerability

 

Go to Objects Tab > Custom Objects > Vulnerability, then click “Add”,

Fill-in required fields as shown below:

 1.1.jpg

Click “Signatures” Tab, then click “Add”. In Standard window, type in the Signature Name:

 1.2.jpg

 

At the bottom of “Standard” window, click “Add And Condition”:

 1.3.png

 

Inside “Or Condition” window, choose Operator to “Greater Than”, choose Context to “http-req-content-length”. To limit file size up to 10 MB, we need to fill-in the Value in bytes, 10MB equals to “10485760”

 1.4.jpg

 

Then click “OK”, click “OK” again.

 

Or, you can just save below text as BLOCK-FILE-10MB.xml file and click “Import” in Objects Tab > Custom Objects > Vulnerability.

 

<vulnerability-threat version="6.1.0">

<entry name="41001">

   <signature>

     <standard>

       <entry name="BLOCK-FILE-10MB">

         <and-condition>

           <entry name="And Condition 1">

             <or-condition>

               <entry name="Or Condition 1">

                 <operator>

                   <greater-than>

                     <value>10485760</value>

                     <context>http-req-content-length</context>

                   </greater-than>

                 </operator>

               </entry>

             </or-condition>

           </entry>

         </and-condition>

         <order-free>no</order-free>

         <scope>protocol-data-unit</scope>

       </entry>

     </standard>

   </signature>

   <default-action>

     <reset-client/>

   </default-action>

   <threatname>BLOCK-FILE-UPLOAD</threatname>

   <severity>critical</severity>

   <direction>client2server</direction>

 

  1. Create a Vulnerability Protection profile

 

Go to Objects Tab > Security Profiles > Vulnerability Protection, then click “Add”,

You can name the profile as “VP-FILE-UPLOAD”:

 2.1.jpg

Then click “Add”, and fill-in Rule Name, Theat Name, and others similarly as below picture:

 2.2.jpg

 

After finish, then click “OK”, click “OK”.

 

  1. Create Security Policy

 

Go to Policies Tab > Security, then create security policy similarly as below:

 3.1.jpg

3.2.jpg

 

Don’t forget to assign vulnerability protection profile “VP-FILE-UPLOAD” under “Actions” tab:

 3.3.jpg

 

Click “OK”, then click “Commit”.

 

  1. File Upload Testing

 

Open the browser, and type www.filehosting.org

Click “Choose File”, then find any file larger than 10MB:

 4.1.jpg

When uploading a file with size more than 10MB (10485760 bytes), the firewall block and reset the connection.

 

Below is the capture of the packet that show “Content-Length” value is more than 10MB:

 4.2.jpg

And the browser shows blank page:

 4.3.jpg

 

 

  1. Check Firewall Threat Logs

 

Threat Logs shows the firewall catch “Content-Length” parameter which is greater than allowable size.

 5.1.jpg

 

5.2.jpg

0 REPLIES 0
  • 3680 Views
  • 0 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!