how to block a string in HTTP(S) content inspection
Hi all,
I've enabled https content inspection and want to block specific traffic in the HTTP Proxy Action Settings. I've tried different settings (request methodes, url paths, header fields) but it's not blocking.
If i want to block "User=hacker" from the traffic shown below, how and where can i configure that?
example of traffic taken from FSM:
2024-08-01 13:36:55 FW01 Allow 152.22.122.22 85.85.85.162 https/tcp 58762 443 Internet1 VLAN-301 HTTP request (IN-OWA-HTTPS-proxy-00) HTTP-Server.Exchange proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Server.Exchange" src_ctid="ffff8021281ab480" dst_ctid="ffff8021281ab480" out_port="58762" srv_ip="10.10.10.10" srv_port="443" op="OPTIONS" dstname="mail.mydomain.nl" arg="/Microsoft-Server-ActiveSync?Cmd=Options&User=hacker%40mydomain.nl&DeviceId=SEC1BECB109E02D4&DeviceType=SamsungDevice" sent_bytes="357" rcvd_bytes="0" elapsed_time="0.000226 sec(s)" geo_src="USA" geo_dst="NLD" Traffic
Comments
Have you tried the following in URL paths ?
*User=hacker
Pattern Match, set to Deny, Log
yes tried it.
- *User=hacker
(star)User=hacker(star)- also. both not working
- a star is not correct displayed so i typed it
Reviewing the log record again, it looks like User=hacker is part of the dstname, in the arg section.
And URL paths is the correct place to block anything in the dstname string including the arg section.
So, I would expect this to work.
Since it is not, consider opening a support case on this.
Verify that your URL paths entry is on the correct HTTP proxy action - HTTP-Server.Exchange.
dstname="mail.mydomain.nl" arg="/Microsoft-Server-ActiveSync?Cmd=Options&User=hacker%40mydomain.nl&DeviceId=SEC1BECB109E02D4&DeviceType=SamsungDevice"
ok, case opened.
Thanks Bruce.
I'll update this post if i've a solution.