Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 11 replies
  • Subscribers 0 subscribers
  • Views 3623 views
  • Users 0 members are here
Options
Suggested

[9.200][BUG] HTTPS - Exceptions issue

BartWilsonTwotrees
Looks like something broke....

Exceptions not read when https URL Scan only is turned on for https urls.

IF you have a web protection>webfiltereing options> exception to skip all checks including SSL, URL, etc. and you have HTTPS "Scan URL only" selected in the web protection>>filter profiles, any https scan will not be seen by the exception and return a block.

Example listed below:

Apple Update [Allows Apple Update without content scanning side effects.]
Skipping: Authentication / Caching / Antivirus / Extension blocking / MIME type blocking / URL Filter / Content Removal / Certificate Trust Check / Certificate Date Check / SSL scanning
Matching these URLs: ^https?://([A-Za-z0-9.-]*\.)?apple\.com\.?/

 2014:03:26-11:49:47 sbu001 httpproxy[5454]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.1.35" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="0" request="0x27d6f760" url="https://play.itunes.apple.com" exceptions="" error="" authtime="0" dnstime="0" cattime="76" avscantime="0" fullreqtime="15022" device="0" auth="0" reason="category" category="129" reputation="neutral" categoryname="Media Downloads"
2014:03:26-11:49:48 sbu001 httpproxy[5454]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.1.35" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="0" request="0x27d6fdc0" url="https://play.itunes.apple.com" exceptions="" error="" authtime="0" dnstime="0" cattime="77" avscantime="0" fullreqtime="13769" device="0" auth="0" reason="category" category="129" reputation="neutral" categoryname="Media Downloads"
2014:03:26-11:49:53 sbu001 httpproxy[5454]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.1.35" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="0" request="0x27e34ee0" url="https://play.itunes.apple.com" exceptions="" error="" authtime="0" dnstime="0" cattime="99" avscantime="0" fullreqtime="14895" device="0" auth="0" reason="category" category="129" reputation="neutral" categoryname="Media Downloads"
2014:03:26-11:50:23 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.1.35" dstip="23.3.87.120" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="686410" request="0x27cbc880" url="https://iadsdk.apple.com" exceptions="" error="" authtime="0" dnstime="24315" cattime="52" avscantime="0" fullreqtime="91944618" device="0" auth="0" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" application=""
2014:03:26-12:06:29 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.32" dstip="96.17.202.35" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="16529" request="0x27e34cc0" url="gspa21.ls.apple.com/.../prod-resources-lodpi-20" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="" authtime="0" dnstime="168495" cattime="0" avscantime="0" fullreqtime="252779" device="0" auth="0"
2014:03:26-12:08:34 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.35" dstip="174.76.226.82" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="2" request="0x27cbd760" url="http://gsp1.apple.com/pep/gcc" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="" authtime="0" dnstime="135972" cattime="0" avscantime="0" fullreqtime="178480" device="0" auth="0"
2014:03:26-12:24:32 sbu001 httpproxy[5454]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.1.32" dstip="17.134.126.132" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Office Staff )" filteraction="REF_DefaultHTTPCFFBlockAction (Everyone - Default Group)" size="30775" request="0x27d34440" url="https://gs-loc.apple.com" exceptions="" error="" authtime="0" dnstime="21981" cattime="53" avscantime="0" fullreqtime="672146" device="0" auth="0" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware" application=""


Filter profile is full transparent mode, no authentication, https "URL filtering only" checked
Parents
  • 0
    Hi Dunn

    yes these are examples are the ones that i have written because was having trouble get to them and a lot more sites.
    (certainly not akamai (dangerous as it could be anyone) understood. 

    Do you have any examples for the work around that might will not match netflix.com.some_evil_site.com and would be ideal protection.

    thanks
Reply
  • 0
    Hi Dunn

    yes these are examples are the ones that i have written because was having trouble get to them and a lot more sites.
    (certainly not akamai (dangerous as it could be anyone) understood. 

    Do you have any examples for the work around that might will not match netflix.com.some_evil_site.com and would be ideal protection.

    thanks
Children
No Data
Unfiltered HTML