Block Body Content Types

Hello,

I cannot find a easy way to block body content types for *.com, *.vbs and more other file extensions.
When I search for the HEX codes at https://mark0.net/soft-trid-deflist-c.html I found 380 entries. I don't know which on is the correct hex code.
Can anybody please help me, to do the configuration correct?

Comments

  • You can use URL Paths to block these.
    Example: Pattern Match = *.vbs
    Action = Deny

  • Yes, Iknow. But it does not work. But it does not work

  • Please describe an example, including the URL, where this does not work.
    You can select Log on the URL Paths None Matched entry to see an entry in Traffic Monitor showing the DNS name and the URL path.

  • Here is a log output. I tried to download puttygen.exe and puttytel.exe. Both files could be downloaded.
    Deep Paket Inspection is enabled and working
    2020-09-17 15:49:09 Allow 10.0.0.222 93.93.131.124 https/tcp 55263 443 1-Trusted 0-External ProxyAllow: HTTP File submitted to APT analysis server (HTTPS-proxy_LAN-DPI-00) HTTP-Proxy_LAN proc_id="http-proxy" rc="590" msg_id="1AFF-0036" proxy_act="HTTP-Proxy_LAN" host="the.earth.li" path="/~sgtatham/putty/0.74/w64/puttytel.exe" md5="edaa7dce6f02bf7c01c03752020dd329" task_uuid="96106360d6f800201e599875a540accd" src_user="username@domain.net" Traffic 2020-09-17 15:51:28 Allow 10.0.0.222 93.93.131.124 https/tcp 55346 443 1-Trusted 0-External ProxyAllow: HTTP Request categories (HTTPS-proxy_LAN-DPI-00) HTTP-Proxy_LAN proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Proxy_LAN" cats="Information Technology" op="GET" dstname="the.earth.li" arg="/~sgtatham/putty/latest/w32/puttygen.exe" src_user="username@domain.net" Traffic 2020-09-17 15:51:28 Allow 10.0.0.222 93.93.131.124 https/tcp 55346 443 1-Trusted 0-External ProxyAllow: HTTP Request categories (HTTPS-proxy_LAN-DPI-00) HTTP-Proxy_LAN proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Proxy_LAN" cats="Information Technology" op="GET" dstname="the.earth.li" arg="/~sgtatham/putty/0.74/w32/puttygen.exe" src_user="username@domain.net" Traffic

  • I found out that in Content types application/* is allowed.
    I think this is the problem

  • No, that is not the reason.

    I added a URL Paths for *.exe set to deny, and when to the URL that you did.
    Here are my results:

    Request denied by WatchGuard HTTP proxy for Bruce.
    Reason: request URL denied rule='*.exe'
    Method: GET
    Host: the.earth.li
    Path: /~sgtatham/putty/0.74/w64/puttytel.exe

    2020-09-17 12:45:17 Deny 10.0.1.2 93.93.131.124 http/tcp 49447 80 Trust-VLAN External ProxyDeny: HTTP request URL match (HTTP-proxy_for_Bruce-PC-00) HTTP-Client_bruce proc_id="http-proxy" rc="595" msg_id="1AFF-000B" proxy_act="HTTP-Client_bruce" rule_name="*.exe" dstname="the.earth.li" arg="/~sgtatham/putty/0.74/w64/puttytel.exe" geo_dst="GBR" Traffic

  • Similarly, a URL Path deny for *puttytel.exe also works:

    2020-09-17 13:25:07 Deny 10.0.1.2 93.93.131.124 http/tcp 49673 80 Trust-VLAN External ProxyDeny: HTTP request URL match (HTTP-proxy_for_Bruce-PC-00) HTTP-Client_bruce proc_id="http-proxy" rc="595" msg_id="1AFF-000B" proxy_act="HTTP-Client_bruce" rule_name="puttytel.exe" dstname="the.earth.li" arg="/~sgtatham/putty/0.74/w64/puttytel.exe" geo_dst="GBR" Traffic

  • I tested the.earth.li/~sgtatham/putty/0.74/w64/puttytel.exe and the default Windows EXE\DLL rule blocked it.

    Gregg Hill

  • My attempt to get the EXE at https://the.earth.li/~sgtatham/putty/0.74/w32/puttygen.exe

    here's the result (it is blocked as expected):

    Response denied by WatchGuard HTTP Proxy.
    Reason: body content-type denied rule='Windows EXE/DLL'
    Please contact your administrator for assistance.
    More Details:
    Method: GET
    Host: the.earth.li
    Path: /~sgtatham/putty/0.74/w32/puttygen.exe

  • You may have a policy above the one that should block it, and that policy allows the download.

    Gregg Hill

Sign In to comment.