how to block mp3 ?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

how to block mp3 ?

hi ,

i just got a request from a custoer on how to block mp3.. so as currently PanOS doesnt detect it , can we add it as a signature ?

BR

Highlighted
L6 Presenter

You can write a custom app to detect .mp3 extension in HTTP.  Enclosed is a custom appID to look for .jpg images written for PAN-OS verison 3.1.x.  The signature is looking in the URI path and matching on  the string ‘\.jpg HTTP’ without the quote.  Typically the web request would look like this:

GET /images/twitter_corp.jpg HTTP/1.1\r\n

GET /images/logo.jpg HTTP/1.1\r\n

Please import this appID into the PA device and test.  Once verified, you can clone the app and change the app to match .mp3. 

Thanks.

Highlighted
L3 Networker

hi,

it did not work for the site which am testing for ill attach the screenshot, i also did several test on other site some of them show the extension up to .mp3 some not ...

Highlighted
L6 Presenter

The custom signature is looking for pattern '.jpg HTTP' in the URI.  If you changed the pattern to '.mp3 HTTP', then we are looking for this pattern and it must be an exact match.  Your example has URI '...dh-wahshny.html HTTP/1.1' which does not contain '.mp3 HTTP'.

My suggestion will not catch all .mp3 files if the downloaded content does not end in .mp3 extension.  You may want to contact your local Palo Alto account team and submit a feature request.

Thanks.

Highlighted
L3 Networker

Maybe you try to make a data-filtering profile for the file-type mp3 ?

- Edit - seems indeed that mp3 is not amongst the supported file-types.

You could enter a feature request to add this file-type...

Message was edited by: Bart.Jocque

Highlighted
L3 Networker

well i dont think this even will work.. even if i tried to block a url with *.mp3 it wont work as some sites hide the extension from the url ..

Highlighted
Not applicable

Now it does, mp3 and also mp4.

Highlighted
L6 Presenter

Is it possible for you to attach your signature that works?

I think you must act on both fileextension aswell as mimetype if you write your own signature, something like:

fileext: .mp3

OR

mime-type: audio/mp3 (or whatever its called)

however this can be evaded by using octet-stream as mime-type and then the client app will detect what this file is based on magic bytes.

If im not mistaken the file function in PA (when you select filetypes) will to both fileext, mimetype and magic bytes to detect files however the file detection in PA currently only works for http, ftp, smtp, pop3 and imap streams (if im not mistaken).

Highlighted
Not applicable

No special signature, just now there's (I'm running 4.1.6) option to block mp3's and mp4's with File Blocking. See the attached image.

Highlighted
L3 Networker

it looks starting from 4.1.4 mp3 and mp4 can be added to file blocking profiles, i will test and update here guys.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!