how to block a string in HTTP(S) content inspection

edited August 1 in Firebox - Proxies

Hi all,
I've enabled https content inspection and want to block specific traffic in the HTTP Proxy Action Settings. I've tried different settings (request methodes, url paths, header fields) but it's not blocking.
If i want to block "User=hacker" from the traffic shown below, how and where can i configure that?

example of traffic taken from FSM:
2024-08-01 13:36:55 FW01 Allow 152.22.122.22 85.85.85.162 https/tcp 58762 443 Internet1 VLAN-301 HTTP request (IN-OWA-HTTPS-proxy-00) HTTP-Server.Exchange proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Server.Exchange" src_ctid="ffff8021281ab480" dst_ctid="ffff8021281ab480" out_port="58762" srv_ip="10.10.10.10" srv_port="443" op="OPTIONS" dstname="mail.mydomain.nl" arg="/Microsoft-Server-ActiveSync?Cmd=Options&User=hacker%40mydomain.nl&DeviceId=SEC1BECB109E02D4&DeviceType=SamsungDevice" sent_bytes="357" rcvd_bytes="0" elapsed_time="0.000226 sec(s)" geo_src="USA" geo_dst="NLD" Traffic

Comments

  • Have you tried the following in URL paths ?
    *User=hacker
    Pattern Match, set to Deny, Log

  • edited August 1

    yes tried it.
    - *User=hacker
    (star)User=hacker(star)- also. both not working
    - a star is not correct displayed so i typed it

  • Reviewing the log record again, it looks like User=hacker is part of the dstname, in the arg section.
    And URL paths is the correct place to block anything in the dstname string including the arg section.
    So, I would expect this to work.
    Since it is not, consider opening a support case on this.
    Verify that your URL paths entry is on the correct HTTP proxy action - HTTP-Server.Exchange.

    dstname="mail.mydomain.nl" arg="/Microsoft-Server-ActiveSync?Cmd=Options&User=hacker%40mydomain.nl&DeviceId=SEC1BECB109E02D4&DeviceType=SamsungDevice"

  • ok, case opened.
    Thanks Bruce.

    I'll update this post if i've a solution.

Sign In to comment.