Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 28 subscribers
  • Views 22120 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't seem to block IRC chat

Gary Parr

Hi all,

 

XG Home user here, trying to setup some policies before I give my kid her first laptop. I wanted to see if I could block chat services at first, and one of the built-in chat clients on the Linux Mint install I used was HexChat, an IRC client. So, I've created a firewall rule that uses her laptop MAC address as the source device from LAN to WAN.  I then added to this firewall rule a custom web policy which blocks online chat. I then added a custom application filter that blocks, among other things, the IRC network service.

Imagine my surprise when I fire up HexChat on her laptop and it just connects to irc.spotchat.org on the default IRC port 6667 like a happy little camper with no issues.

I'm 99% sure her laptop is hitting this rule. If I disable logging on every other rule and only log on this one, I can see real-time logs of traffic from her IP.  The IRC network traffic shows up in the XG "Live Connections" tab as "other applications" rather than IRC.

Does this mean that XG doesn't recognize IRC chat or is there something I'm overlooking?

Thanks!



This thread was automatically locked due to age.
  • 0 in reply to sachingurung

    Good to know. It has been fixed in some MR because before firewall rules based on MAC-ADDRESSES were not working.

    Thanks

  • 0 in reply to sachingurung

    Alongside, I would genuinely like to add here, parenting shouldn't be dependent on technology. XG can potentially block the access to a certain level within a range of premises but, a warm friendly discussion with kids could help both ends, forever.

    I completely agree! There is nothing more important than open, honest discussion with kids. My implementation of application blocking around her laptop is more for experimenting and learning what XG can (and can't) do. Nothing quite like a real-world use case to find all the holes in the QA test scripts [;)]

    I don't see a signature inside the List of Matching Applications, you need to raise this as a feature request on Sophos Ideas.

    Do you mean this signature?

    True, there is no signature for IRC over TLS/SSL... but that's not what I'm trying to block in my test case. In the following example application filter....

    IRC and NTP are not identified by XG... they show up in the Live Connections tab as "Other Applications" and pass right through the filter. LDAP, SSH, and Jabber however are identified correctly and are blocked as expected. This indicates a problem with the IRC and NTP signatures The issue we have here is larger than just NTP and IRC though. Without testing every single application signature I have no way of knowing which work, and which do not.

  • 0 in reply to Gary Parr

    I am glad to know it's for testing and I will test this in my lab tonight and provide you a final conclusion on this. 

    Thanks

  • 0 in reply to Gary Parr

    Hi Gary , 

    We have tested the with Hex app and found that you may need to block P2P and Instant Messaging Category. I shall Share the results and the configuration.

     

     

    HEXCHAT output 

    un 15 23:59:59 2019 GM
    * * Cipher info:
    * Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)
    * Connected. Now logging in.
    * *** Looking up your hostname...
    * *** Looking up your ident...
    * *** Could not resolve your hostname: Domain name not found; using your IP address (XX.XX.XX.XX) instead.
    * Capabilities supported: away-notify extended-join account-notify multi-prefix sasl tls userhost-in-names
    * Capabilities requested: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel is erroneous. Retrying with aditya.patel_...
    * Capabilities acknowledged: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel_ is erroneous. Retrying with aditya.patel__...
    * Nickname is erroneous or already in use. Use /NICK to try another.
    * Closing link: (aditya.pate@XX.XX.XX.XX) [Registration timeout]
    * Disconnected (Remote host closed socket)
    Cycling to next server in SpotChat...
    * Disconnected ()
    * Looking up irc.spotchat.org
    * Connecting to irc.spotchat.org (67.230.173.38:6697)
    * * Subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /CN=irc.spotchat.org
    * * Issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Certification info:
    * Subject:
    * CN=irc.spotchat.org
    * Issuer:
    * C=US
    * O=GeoTrust Inc.
    * CN=RapidSSL SHA256 CA
    * Public key algorithm: rsaEncryption (2048 bits)
    * Sign algorithm sha256WithRSAEncryption
    * Valid since May 16 00:00:00 2016 GM to Jun 15 23:59:59 2019 GM
    * * Cipher info:
    * Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)
    * Connected. Now logging in.
    * *** Looking up your hostname...
    * *** Looking up your ident...
    * *** Could not resolve your hostname: Domain name not found; using your IP address (XX.XX.XX.XX) instead.
    * Capabilities supported: away-notify extended-join account-notify multi-prefix sasl tls userhost-in-names
    * Capabilities requested: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel is erroneous. Retrying with aditya.patel_...
    * Capabilities acknowledged: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel_ is erroneous. Retrying with aditya.patel__...
    * Nickname is erroneous or already in use. Use /NICK to try another.
    * Closing link: (aditya.pate@XX.XX.XX.XX) [Registration timeout]
    * Disconnected (Remote host closed socket)
    Cycling to next server in SpotChat...
    * Disconnected ()
    * Looking up irc.spotchat.org
    * Connecting to irc.spotchat.org (67.230.173.38:6697)
    * * Subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /CN=irc.spotchat.org
    * * Issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Certification info:
    * Subject:
    * CN=irc.spotchat.org
    * Issuer:
    * C=US
    * O=GeoTrust Inc.
    * CN=RapidSSL SHA256 CA
    * Public key algorithm: rsaEncryption (2048 bits)
    * Sign algorithm sha256WithRSAEncryption
    * Valid since May 16 00:00:00 2016 GM to Jun 15 23:59:59 2019 GM
    * * Cipher info:
    * Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)
    * Connected. Now logging in.
    * *** Looking up your hostname...
    * *** Looking up your ident...
    * *** Could not resolve your hostname: Domain name not found; using your IP address (XX.XX.XX.XX) instead.
    * Capabilities supported: away-notify extended-join account-notify multi-prefix sasl tls userhost-in-names
    * Capabilities requested: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel is erroneous. Retrying with aditya.patel_...
    * Capabilities acknowledged: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel_ is erroneous. Retrying with aditya.patel__...
    * Nickname is erroneous or already in use. Use /NICK to try another.
    * Closing link: (aditya.pate@XX.XX.XX.XX) [Registration timeout]
    * Disconnected (Remote host closed socket)
    Cycling to next server in SpotChat...
    * Disconnected ()
    * Looking up irc.spotchat.org
    * Connecting to irc.spotchat.org (67.230.173.38:6697)
    * * Subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /CN=irc.spotchat.org
    * * Issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Certification info:
    * Subject:
    * CN=irc.spotchat.org
    * Issuer:
    * C=US
    * O=GeoTrust Inc.
    * CN=RapidSSL SHA256 CA
    * Public key algorithm: rsaEncryption (2048 bits)
    * Sign algorithm sha256WithRSAEncryption
    * Valid since May 16 00:00:00 2016 GM to Jun 15 23:59:59 2019 GM
    * * Cipher info:
    * Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)
    * Connected. Now logging in.
    * *** Looking up your hostname...
    * *** Looking up your ident...
    * *** Could not resolve your hostname: Domain name not found; using your IP address (XX.XX.XX.XX) instead.
    * Capabilities supported: away-notify extended-join account-notify multi-prefix sasl tls userhost-in-names
    * Capabilities requested: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel is erroneous. Retrying with aditya.patel_...
    * Capabilities acknowledged: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel_ is erroneous. Retrying with aditya.patel__...
    * Nickname is erroneous or already in use. Use /NICK to try another.
    * Closing link: (aditya.pate@XX.XX.XX.XX) [Registration timeout]
    * Disconnected (Remote host closed socket)
    Cycling to next server in SpotChat...
    * Disconnected ()
    * Looking up irc.spotchat.org
    * Connecting to irc.spotchat.org (67.230.173.38:6697)
    * * Subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    * * Subject: /CN=irc.spotchat.org
    * * Issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    * * Certification info:
    * Subject:
    * CN=irc.spotchat.org
    * Issuer:
    * C=US
    * O=GeoTrust Inc.
    * CN=RapidSSL SHA256 CA
    * Public key algorithm: rsaEncryption (2048 bits)
    * Sign algorithm sha256WithRSAEncryption
    * Valid since May 16 00:00:00 2016 GM to Jun 15 23:59:59 2019 GM
    * * Cipher info:
    * Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)
    * Connected. Now logging in.
    * *** Looking up your hostname...
    * *** Looking up your ident...
    * *** Could not resolve your hostname: Domain name not found; using your IP address (XX.XX.XX.XX) instead.
    * Capabilities supported: away-notify extended-join account-notify multi-prefix sasl tls userhost-in-names
    * Capabilities requested: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel is erroneous. Retrying with aditya.patel_...
    * Capabilities acknowledged: away-notify extended-join account-notify multi-prefix userhost-in-names
    * aditya.patel_ is erroneous. Retrying with aditya.patel__...
    * Nickname is erroneous or already in use. Use /NICK to try another.
    * Closing link: (aditya.pate@XX.XX.XX.XX) [Registration timeout]
    * Disconnected (Remote host closed so 

  • 0 in reply to Aditya Patel

    I added the same application categories to my filter that you show in your screen capture...

    These were added to a simple filter that already contained the following...

    This application filter is applied to a single rule, which is the only rule currently active on the Guest Zone(Port 2) 

     

    This modified application filter successfully blocks torrents....

     

    But not IRC...

     

    I realize I can create a firewall rule that blocks the IRC port ranges, and that would solve this problem.  What I'm trying to do is help you guys determine if there is a bug in the IRC signature used for application filtering.