Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 28 replies
  • Answers 2 answers
  • Subscribers 33 subscribers
  • Views 12634 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What's the simplest way to block a Top-Level-Domain (*.ru/* for example )in web protection?

ken9000

What is the simplest way to block all users from visiting a TLD? This seems like a basic functionality but I haven't found a good answer.



This thread was automatically locked due to age.
Parents
  • 0

    I know this works in UTM hoping XG

     

    https?://[A-Za-z0-9.-]*\.ru/

    or

    http?://[A-Za-z0-9.-]*\.ru/

     

    You can also use country blocking, you may be aware but figure I would mention it.

  • 0 in reply to Badrobot

    Badrobot said:

     https?://[A-Za-z0-9.-]*\.ru/

    http?://[A-Za-z0-9.-]*\.ru/

    If working with this REGEX Snippets, then the pattern for an URL with Path behind should be added as well (for Example mydomain.ru/mypage/index.php wouldnt be affected by this REGEX Snippets above). Afterwards this Regex Snippet can be used to create an URL Group that afterwards can be used in Webfilter Policy.

     

    By the way... Why do you want to block all *.ru pages? not all of those are bad... I don't se a usecase for something like this :-S

  • 0 in reply to M8ey

    Seriously though, as a completely separate thing from website categorization there is a large effort within Sophos Labs to block malware URLs and domains.  To this end, everyone should make sure they are always blocking the "Criminal Activities" User Activity (or the categories within it).

    https://www.sophos.com/en-us/labs.aspx

  • 0 in reply to Michael Dunn

    As examples, regardless of geography, I don't know where a ".online" or ".loan" domain might be physically hosted but I know my users don't have any business going there.

    krebsonsecurity.com/.../

  • 0 in reply to Michael Dunn

    Is there a KB article better describing what the categories contain such as "Criminal Activities"? That's a bit open to interpretation. I'd put all Wall Street banks in there, for example.

  • 0 in reply to ken9000

    There are a hundred categories.  Managing a rule for each separately is complex.  Therefore the categories are grouped together, along with filetypes into "User Activities".

    You can go into Web \ User Activities to see the categories in each.

    You can go into Web \ Categories and click into a category to get a description.  I think there must be a list somewhere in help or a KB of all the descriptions.  But there is another place to get them.  This site, used for some internal testing, contains a list of categories and descriptions.  Please note that this site has different lists for different products, the list of categories for CWG and XG are the same.

    http://www.sophostest.com/cwg/

  • 0 in reply to Michael Dunn

    This definition of "Criminal Activities" doesn't seem to like-up with the advice of using this category for malware domains, etc:

     

    Criminal Activity

    Includes sites for advocating, instructing, or giving advice on performing illegal acts; tips on evading law enforcement; and lock-picking and burglary techniques.

  • 0 in reply to ken9000

    The User Activity called Criminal Activity contains 7 categories.

    One of the categories is also called Criminal Activity.  The description may not be ideal - I know that child porn and other illegal to browse to things are categorized as Criminal Activity.

    The other most important category is Spyware and Malware.  This is where a lot of the bad computer security stuff is.

    Blocking the entire User Activity is what I recommend.

     

    I will not comment on the decision of naming a User Activity the same as a Category.  :)

  • 0 in reply to Michael Dunn

    Understood. Going to add it. Thanks for your input on the forums!

  • 0 in reply to ken9000

    Ugh!  Just went and looked at some of the backend and mapping.  Again, I will not comment on decisions for naming and inclusion.  :)

     

    Consider blocking User Activity Suspicious.  This is a mix of bad stuff (spam) and not bad stuff (advertising).  Maybe look at the categories inside and make a decision.

     

    I would also personally block these:

    Command and Control (if you are using Advanced Threat Protection then this is already blocked.  If you are not then this category takes effect.)

    Spam URLs (also part of the User Activity Suspicious)

    Hacking

  • 0 in reply to rfcat_vk

    I agree, I have seen many sites that should have a domain from a specific country or IP Block from that country that are actually hosted on a cloud platform in a different country.

  • 0 in reply to Badrobot

    I suspect GEOIP blocking makes more sense in blocking incoming connection from certain countries.  Or incoming/outgoing for certain ports (we should block any ssh access from internal to Russia).

     

    For outgoing Web traffic it makes less sense, however I just brought it up for Web as additional thing for a paranoid admin to lock-down.

Reply
  • 0 in reply to Badrobot

    I suspect GEOIP blocking makes more sense in blocking incoming connection from certain countries.  Or incoming/outgoing for certain ports (we should block any ssh access from internal to Russia).

     

    For outgoing Web traffic it makes less sense, however I just brought it up for Web as additional thing for a paranoid admin to lock-down.

Children
No Data