Block User Agent - Is it working?
-
Good Morning!
I have an ACL that denies based on User Agent, which currently looks like this:
^$
^Microsoft-Delivery-Optimization
^Windows-Update-Agent
^WindowsShellClient
MSDW[NOTE: I have edited the log entries here to make them more readable]
Every once in a while, I see a burst of the following traffic from Win10 machines:
[2018-07-27 08:07:28.211] 10.1.90.9 - TAG_NONE peek watson.telemetry.microsoft.com *.big.telemetry.microsoft.com:443
[2018-07-27 08:07:28.281] 10.1.90.9 MSDW TAG_NONE - watson.telemetry.microsoft.com https://watson.telemetry.microsoft.com/...
[2018-07-27 08:07:29.136] 10.1.90.9 - TAG_NONE peek watson.telemetry.microsoft.com *.big.telemetry.microsoft.com:443
[2018-07-27 08:07:29.151] 10.1.90.9 MSDW TAG_NONE - watson.telemetry.microsoft.com https://watson.telemetry.microsoft.com/...Although I have not examined the packets in detail, Wireshark does show 2-way communication.
It does seem to be working for the other User Agents, however, as the logs look more like what I'd expect for a blocked connection:
[2018-07-27 08:03:09.815] 10.1.90.9 WindowsShellClient TCP_DENIED bump arc.msn.com https://arc.msn.com/...
And if I add ^Mozilla to the ACL, the results are also as expected:
[2018-07-26 11:09:25.744] 10.1.90.9 Mozilla TAG_NONE peek www.apple.com 23.79.3.47:443
[2018-07-26 11:09:25.781] 10.1.90.9 Mozilla TCP_DENIED bump www.apple.com https://www.apple.com/
[2018-07-26 11:09:25.825] 10.1.90.9 Mozilla TAG_NONE - www.apple.com http://nix-1:3128/squid-internal-static/icons/SN.png
[2018-07-26 11:09:25.844] 10.1.90.9 Mozilla TCP_DENIED bump www.apple.com https://www.apple.com/favicon.icoSo is Squid blocking MSDW, but I'm misinterpreting the logs?
Have I committed a REGEX faux pas in my ACL?Any pointers will be greatly appreciated!