Blocking file extensions not shown in URL
-
Hey guys.
I'm having a hard time trying to block some file extensions when the URL doesn't shot the file. Google Drive for example, when I download a jpg, the download link is: https://doc-04-bg-docs.googleusercontent.com/docs/securesc/rpnv2ih23n3mjeb84apv3qer7p45nkuo/qo2ujbu8plq62urkcu4j1f5g7mhujsv3/1508940000000/02877457093924834188/02877457093924834188/0B0m5OOfdiGn7Y3AwY3hlXzNWc0E?e=download
So, Squidguard doesn't see the extension and by consequence, it doesn't block it.
The same happens with OWA (Outlook Web App). The users are being able to download rar, zips, etc.
The blocking works just fine when the "file.zip" is contained in the URL.
Then I've tried to use Snort to check for file signatures(52 61 72 21 1A 07 00 and 52 61 72 21 1A 07 01 00), but I wasn't successful either, even my initial intention was not to use a IPS/IDS for that, since I won't be able to control de blocks by a user level.Has anyone ever had to deal with this?
-
I bet you do have HTTPS filtering enabled? You need to have something that would look into the actual contents being downloaded - like https://docs.diladele.com/administrator_guide_5_2/web_filter/policies/blocking_file_downloads.html
-
Sure. HTTPS filtering ON, Bump, splice whitelist. The Diadele solution may work, but it's not free. That solution probably rely on the Layer 7, since it promotes "Content Filter". After every new "virus spread" like today, the Bad Rabbit, I almost faint just by remembering that SOME content can't be blocked…