01-19-2016 08:53 AM
I am currently researching a way to be able to intercept traffic from an unsupported IE browser and then be able to feed that information about the host, mainly FQDN hostname or IP address of the host into the PAN dynamically based on the user-agent:
IE8 - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
IE9 - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
IE 10 - Mozilla/5.0 (compatible; WOW64; MSIE 10.0; Windows NT 6.2)
One way I am thinking of doing this, is to have a tcpdump stream pick up the traffic between the internal host and the PAN before it gets out to the Internet. The PCAP would then have the information I am looking for. I am thinking that I can grep the info I need and build a list that can update a dynamic block list.
Has anyone been able to accomplish this?
01-19-2016 11:15 AM
I was hoping we'd be able to create a custom app sig based upon user-agent, but I didn't see where that was an option. Given that 6.1.X brought about the ablity to at least see in the log a user agent, I was hoping there could be some deeper controls around this field, but I haven't been able to find one.
01-20-2016 12:44 AM
I am blocking unwanted bwrowsers in a different way; with custom IPS signatures. You can make a signature that matches certain string within http header (pattern match -> http-req-header -> 'string'). Then you can set that signature to allow/alert/block.
However detection of browser on UA string is not reliable. For start it's not easy to make patterns to uniquely identify different browsers as many are using same words (http://www.useragentstring.com/pages/Browserlist/). And most browsers allow changing UA, with some it's already built-in functionality while for others you have extensions.
01-20-2016 07:51 AM - edited 01-20-2016 07:53 AM
Of course you can do that with custom app 🙂
In the advance tab when you create new app, you can define your own signature. If you select for exemple http-request-header and paatern "Chrome\/", it will work.
For other browser, just make a TCP dump of your http request "GET" and identify the unic stream.
But it's true, it will be not very efficient, nothing is more easy to fake than http header 🙂
01-20-2016 11:08 PM
I was also considering whether to do it with custom App or custom IPS signature. In the end i decided for IPS signature because I still want to see what app is being used (web-browsing, http-video...) instead of just which browsers is being used.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!