See URL of blocked file

Hello Marcus,

Thank you for contacting the Sophos Community!

Can you check under Monitor & Analyze >> Reports >> Custom >> Search in IP address.

But probably it won't say from which website, as the connection is coming from that 2.20.189.211.

You could however if you set the awarrenhttp.log in debug mode

# service awarrenhttp:debug -ds nosync

Then if user access again and you check under

# /log/awarrenhttp_access.log 

It would give you most likely more info about this.

Regards,

Hi Emmanuel,

thanks for the reply. I tested your suggestion setting awarrenhttp to debug mode, but there is nothing in the file /log/awarrenhttp_access.log. It has 0 bytes. Even after 30 minutes. During this time a can see in the GUI that several .zip and .exe files where blocked.

In the /log/awarenhttp.log there is an entry showing that awarenhttp was set to debug.

1606290171.259723988 [ 6838/ (nil)] config.c:270 process_sig_event [1641] signal: User defined signal 1
1606290171.259783609 [ 6838/ (nil)] debug.c:296 debug_toggle Debug level set to 0x14815B

Do I have to use the Web Proxy?

Regards

Hi marcus33241

marcus33241 said:

Is there a way to see the URL?

This is the Log entry:

2020-11-23 08:01:52 Application filtermessageid="17051" log_type="Content Filtering" log_component="Application" log_subtype="Denied" fw_rule_id="7" user="" user_group="" appfilter_policy_id="7" category="File Transfer" app_name="ZIP File Download" app_risk="4" app_technology="Browser Based" app_category="File Transfer" src_ip="2.20.189.211" src_country="" dst_ip="10.1.1.1" dst_country="BEL" protocol="TCP" src_port="80" dst_port="52700" bytes_sent="0" bytes_received="0" status="" message="" appresolvedby="Signature"

Inside the "Application Filter" Logs It won't show the URL (If It's a Web Application) that has been blocked, that's because the Application Control is Signature based.

In order to know the URL that has been blocked by It, you will need to go to the "Web Filter" Logs inside the Log Viewer, and filter out with:

(Example.)

• src_ip="2.20.189.211"
• dst_ip="10.1.1.1"
• src_port="80"
• dst_port="52700"

marcus33241 said:

thanks for the reply. I tested your suggestion setting awarrenhttp to debug mode, but there is nothing in the file /log/awarrenhttp_access.log. It has 0 bytes. Even after 30 minutes. During this time a can see in the GUI that several .zip and .exe files where blocked.

The /log/awarrenhttp_access.log is only for the Web Proxy; You can only see the Logs (If using the DPI Engine.) on the Log Viewer - at "Web Filter" page.

Thanks!

Hi marcus33241

marcus33241 said:

Is there a way to see the URL?

This is the Log entry:

2020-11-23 08:01:52 Application filtermessageid="17051" log_type="Content Filtering" log_component="Application" log_subtype="Denied" fw_rule_id="7" user="" user_group="" appfilter_policy_id="7" category="File Transfer" app_name="ZIP File Download" app_risk="4" app_technology="Browser Based" app_category="File Transfer" src_ip="2.20.189.211" src_country="" dst_ip="10.1.1.1" dst_country="BEL" protocol="TCP" src_port="80" dst_port="52700" bytes_sent="0" bytes_received="0" status="" message="" appresolvedby="Signature"

Inside the "Application Filter" Logs It won't show the URL (If It's a Web Application) that has been blocked, that's because the Application Control is Signature based.

In order to know the URL that has been blocked by It, you will need to go to the "Web Filter" Logs inside the Log Viewer, and filter out with:

(Example.)

• src_ip="2.20.189.211"
• dst_ip="10.1.1.1"
• src_port="80"
• dst_port="52700"

marcus33241 said:

thanks for the reply. I tested your suggestion setting awarrenhttp to debug mode, but there is nothing in the file /log/awarrenhttp_access.log. It has 0 bytes. Even after 30 minutes. During this time a can see in the GUI that several .zip and .exe files where blocked.

The /log/awarrenhttp_access.log is only for the Web Proxy; You can only see the Logs (If using the DPI Engine.) on the Log Viewer - at "Web Filter" page.

Thanks!

Hi,

this is all Windows Update stuff and I can see it in the URL in WebFilter Log.

Don't you have the buggy default Microsoft Update Exception List enabled?

We have created a custom one for WU:

URLs:

^([A-Za-z0-9.-]*\.)?ntservicepack\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?emdl\.ws\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?dl\.delivery\.mp\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?windowsupdate\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?update\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?wustat\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?windowsupdate\.com/
^([A-Za-z0-9.-]*\.)?crl\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?download\.microsoft\.com/
^([A-Za-z0-9.-]*\.)?go\.microsoft\.com/

Hello Prism,

thank you for your explanations. I would show what I am trying to do.

This is the situation: the Control Center -> Reports shows Blocked app categories:

When I click "File transfer" I can see this

An when I search this hosts in the Web filter log with filter settings

• src ip / dst ip 2.20.190.28
• Log subtype is not Allowed

nothing is shown...

There are many ALLOWED entries for this IP.

In the Application Filter log I can see the blocked ZIP and EXE downloads, but I have no chance to see which files are blocked. Maybe it is an automatic adobe update or malware - I don't know.

have you seen my post above - this is Windows Update - I'm 90% sure.

I agree that XG lacks GUI logging here. Much improvement needed. I have tried exactly the same approach as you did for other blocks and this is a dead end.

marcus33241 said:

• Log subtype is not Allowed

nothing is shown...

There are many ALLOWED entries for this IP.

You're will still able to see what has been blocked through the Log Viewer, the difference here is - When IPS drops a connection, on the "Web Filter" Page It will still show as "ALLOWED" instead of denied.

You can filter with the source & destination IP and look at the time of the "Web Filter" Logs to see if It matches the log over the IPS Page.

And yes, the logging on Sophos XG is this horrible.