Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 11 replies
  • Subscribers 0 subscribers
  • Views 3623 views
  • Users 0 members are here
Options
Suggested

[9.200][BUG] HTTPS - Exceptions issue

BartWilsonTwotrees
Looks like something broke....

Exceptions not read when https URL Scan only is turned on for https urls.

IF you have a web protection>webfiltereing options> exception to skip all checks including SSL, URL, etc. and you have HTTPS "Scan URL only" selected in the web protection>>filter profiles, any https scan will not be seen by the exception and return a block.

Example listed below:

Apple Update [Allows Apple Update without content scanning side effects.]
Skipping: Authentication / Caching / Antivirus / Extension blocking / MIME type blocking / URL Filter / Content Removal / Certificate Trust Check / Certificate Date Check / SSL scanning
Matching these URLs: ^https?://([A-Za-z0-9.-]*\.)?apple\.com\.?/

 2014:03:26-11:49:47 sbu001 httpproxy[5454]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.1.35" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="0" request="0x27d6f760" url="https://play.itunes.apple.com" exceptions="" error="" authtime="0" dnstime="0" cattime="76" avscantime="0" fullreqtime="15022" device="0" auth="0" reason="category" category="129" reputation="neutral" categoryname="Media Downloads"
2014:03:26-11:49:48 sbu001 httpproxy[5454]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.1.35" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="0" request="0x27d6fdc0" url="https://play.itunes.apple.com" exceptions="" error="" authtime="0" dnstime="0" cattime="77" avscantime="0" fullreqtime="13769" device="0" auth="0" reason="category" category="129" reputation="neutral" categoryname="Media Downloads"
2014:03:26-11:49:53 sbu001 httpproxy[5454]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.1.35" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="0" request="0x27e34ee0" url="https://play.itunes.apple.com" exceptions="" error="" authtime="0" dnstime="0" cattime="99" avscantime="0" fullreqtime="14895" device="0" auth="0" reason="category" category="129" reputation="neutral" categoryname="Media Downloads"
2014:03:26-11:50:23 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.1.35" dstip="23.3.87.120" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="686410" request="0x27cbc880" url="https://iadsdk.apple.com" exceptions="" error="" authtime="0" dnstime="24315" cattime="52" avscantime="0" fullreqtime="91944618" device="0" auth="0" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" application=""
2014:03:26-12:06:29 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.32" dstip="96.17.202.35" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="16529" request="0x27e34cc0" url="gspa21.ls.apple.com/.../prod-resources-lodpi-20" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="" authtime="0" dnstime="168495" cattime="0" avscantime="0" fullreqtime="252779" device="0" auth="0"
2014:03:26-12:08:34 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.35" dstip="174.76.226.82" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="2" request="0x27cbd760" url="http://gsp1.apple.com/pep/gcc" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="" authtime="0" dnstime="135972" cattime="0" avscantime="0" fullreqtime="178480" device="0" auth="0"
2014:03:26-12:24:32 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.1.32" dstip="17.134.126.132" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="30775" request="0x27d34440" url="https://gs-loc.apple.com" exceptions="" error="" authtime="0" dnstime="21981" cattime="53" avscantime="0" fullreqtime="672146" device="0" auth="0" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" application=""


Filter profile is full transparent mode, no authentication, https "URL filtering only" checked
Parents
  • 0
    Yes, Knome that would be a workaround until 9.202 is released.

    I would note three things:

    1) Your examples are mostly exceptions you have written yourself.  The UTM does not ship with exceptions for netflix, hulu, and certainly not akamai (dangerous as it could be anyone).

    2) When you change \. to . you are changing a period into a wildcard.  Therefore you are now going to match netflixzcom.

    3) By removing the tailing slash you are not terminating the domain name.  That means that you will match netflix.com.some_evil_site.com and your exception will apply.  This is not ideal protection.  It is, however, the workaround you need for this bug.
Reply
  • 0
    Yes, Knome that would be a workaround until 9.202 is released.

    I would note three things:

    1) Your examples are mostly exceptions you have written yourself.  The UTM does not ship with exceptions for netflix, hulu, and certainly not akamai (dangerous as it could be anyone).

    2) When you change \. to . you are changing a period into a wildcard.  Therefore you are now going to match netflixzcom.

    3) By removing the tailing slash you are not terminating the domain name.  That means that you will match netflix.com.some_evil_site.com and your exception will apply.  This is not ideal protection.  It is, however, the workaround you need for this bug.
Children
No Data
Unfiltered HTML