Options
Block Body Content Types
Hello,
I cannot find a easy way to block body content types for *.com, *.vbs and more other file extensions.
When I search for the HEX codes at https://mark0.net/soft-trid-deflist-c.html I found 380 entries. I don't know which on is the correct hex code.
Can anybody please help me, to do the configuration correct?
0
Sign In to comment.
Comments
You can use URL Paths to block these.
Example: Pattern Match = *.vbs
Action = Deny
Yes, Iknow. But it does not work. But it does not work
Please describe an example, including the URL, where this does not work.
You can select Log on the URL Paths None Matched entry to see an entry in Traffic Monitor showing the DNS name and the URL path.
Here is a log output. I tried to download puttygen.exe and puttytel.exe. Both files could be downloaded.
Deep Paket Inspection is enabled and working
2020-09-17 15:49:09 Allow 10.0.0.222 93.93.131.124 https/tcp 55263 443 1-Trusted 0-External ProxyAllow: HTTP File submitted to APT analysis server (HTTPS-proxy_LAN-DPI-00) HTTP-Proxy_LAN proc_id="http-proxy" rc="590" msg_id="1AFF-0036" proxy_act="HTTP-Proxy_LAN" host="the.earth.li" path="/~sgtatham/putty/0.74/w64/puttytel.exe" md5="edaa7dce6f02bf7c01c03752020dd329" task_uuid="96106360d6f800201e599875a540accd" src_user="username@domain.net" Traffic 2020-09-17 15:51:28 Allow 10.0.0.222 93.93.131.124 https/tcp 55346 443 1-Trusted 0-External ProxyAllow: HTTP Request categories (HTTPS-proxy_LAN-DPI-00) HTTP-Proxy_LAN proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Proxy_LAN" cats="Information Technology" op="GET" dstname="the.earth.li" arg="/~sgtatham/putty/latest/w32/puttygen.exe" src_user="username@domain.net" Traffic 2020-09-17 15:51:28 Allow 10.0.0.222 93.93.131.124 https/tcp 55346 443 1-Trusted 0-External ProxyAllow: HTTP Request categories (HTTPS-proxy_LAN-DPI-00) HTTP-Proxy_LAN proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Proxy_LAN" cats="Information Technology" op="GET" dstname="the.earth.li" arg="/~sgtatham/putty/0.74/w32/puttygen.exe" src_user="username@domain.net" TrafficI found out that in Content types application/* is allowed.
I think this is the problem
No, that is not the reason.
I added a URL Paths for *.exe set to deny, and when to the URL that you did.
Here are my results:
Request denied by WatchGuard HTTP proxy for Bruce.
Reason: request URL denied rule='*.exe'
Method: GET
Host: the.earth.li
Path: /~sgtatham/putty/0.74/w64/puttytel.exe
2020-09-17 12:45:17 Deny 10.0.1.2 93.93.131.124 http/tcp 49447 80 Trust-VLAN External ProxyDeny: HTTP request URL match (HTTP-proxy_for_Bruce-PC-00) HTTP-Client_bruce proc_id="http-proxy" rc="595" msg_id="1AFF-000B" proxy_act="HTTP-Client_bruce" rule_name="*.exe" dstname="the.earth.li" arg="/~sgtatham/putty/0.74/w64/puttytel.exe" geo_dst="GBR" Traffic
Similarly, a URL Path deny for *puttytel.exe also works:
2020-09-17 13:25:07 Deny 10.0.1.2 93.93.131.124 http/tcp 49673 80 Trust-VLAN External ProxyDeny: HTTP request URL match (HTTP-proxy_for_Bruce-PC-00) HTTP-Client_bruce proc_id="http-proxy" rc="595" msg_id="1AFF-000B" proxy_act="HTTP-Client_bruce" rule_name="puttytel.exe" dstname="the.earth.li" arg="/~sgtatham/putty/0.74/w64/puttytel.exe" geo_dst="GBR" Traffic
I tested the.earth.li/~sgtatham/putty/0.74/w64/puttytel.exe and the default Windows EXE\DLL rule blocked it.
Gregg Hill
My attempt to get the EXE at https://the.earth.li/~sgtatham/putty/0.74/w32/puttygen.exe
here's the result (it is blocked as expected):
Response denied by WatchGuard HTTP Proxy.
Reason: body content-type denied rule='Windows EXE/DLL'
Please contact your administrator for assistance.
More Details:
Method: GET
Host: the.earth.li
Path: /~sgtatham/putty/0.74/w32/puttygen.exe
You may have a policy above the one that should block it, and that policy allows the download.
Gregg Hill