Block doc documents

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Block doc documents

Daniel Rieken
Hello,

I would like to block my users from downloading doc- and docm-files,
but not docx.

So this works fine for me:
/etc/squid3/blockExtensions.acl:
\.doc(\?.*)?$
\.docm(\?.*)?$

acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl"
http_access deny blockExtensions


But in some cases the URL doesn't contain the extension (e.g. doc).
For URLs like this the above ACL doesn't work:
- http://www.example.org/download.pl?file=wordfile
- http://www.example.org/invoice-5479657415/

Here I need to work with mime-types:
acl blockMime rep_mime_type application/msword
acl blockMime rep_mime_type application/vnd.ms-word.document.macroEnabled.12
http_reply_access deny blockMime

This works fine, too. But I see a problem: The mime-type is defined on
the webserver. So the badguy could configure his webserver to serve a
doc-file as application/i.am.not.a.docfile and the above ACL isn't
working anymore.
Is there any way to make squid block doc- and docm files based on the
response-headers file-type?
Or in other words: Is squid able to match the "doc" in the
Content-Disposition header of the response?

HTTP/1.0 200 OK
Date: Tue, 27 Jun 2017 11:40:57 GMT
Server: Apache Phusion_Passenger/4.0.10 mod_bwlimited/1.4
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/baddoc
Content-Disposition: attachment;
filename="gescanntes-Dokument-VPPAW-072-JCD3032.doc"
Content-Transfer-Encoding: binary
X-Powered-By: PHP/5.3.29
Connection: close


Regards, Daniel
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Block doc documents

brendan
You need an ICAP server intelligent enough to differentiate between the file types.  Squid is a proxy and can only deal with the protocol.  An ICAP server can deal with the content.  C-icap and ecap are a couple options that seem to be available.  I havr no experience with either.

On Jun 27, 2017 7:53 AM, "Daniel Rieken" <[hidden email]> wrote:
Hello,

I would like to block my users from downloading doc- and docm-files,
but not docx.

So this works fine for me:
/etc/squid3/blockExtensions.acl:
\.doc(\?.*)?$
\.docm(\?.*)?$

acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl"
http_access deny blockExtensions


But in some cases the URL doesn't contain the extension (e.g. doc).
For URLs like this the above ACL doesn't work:
- http://www.example.org/download.pl?file=wordfile
- http://www.example.org/invoice-5479657415/

Here I need to work with mime-types:
acl blockMime rep_mime_type application/msword
acl blockMime rep_mime_type application/vnd.ms-word.document.macroEnabled.12
http_reply_access deny blockMime

This works fine, too. But I see a problem: The mime-type is defined on
the webserver. So the badguy could configure his webserver to serve a
doc-file as application/i.am.not.a.docfile and the above ACL isn't
working anymore.
Is there any way to make squid block doc- and docm files based on the
response-headers file-type?
Or in other words: Is squid able to match the "doc" in the
Content-Disposition header of the response?

HTTP/1.0 200 OK
Date: Tue, 27 Jun 2017 11:40:57 GMT
Server: Apache Phusion_Passenger/4.0.10 mod_bwlimited/1.4
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/baddoc
Content-Disposition: attachment;
filename="gescanntes-Dokument-VPPAW-072-JCD3032.doc"
Content-Transfer-Encoding: binary
X-Powered-By: PHP/5.3.29
Connection: close


Regards, Daniel
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Block doc documents

Rafael Akchurin
In reply to this post by Daniel Rieken
Hello Daniel,

We have something like this - but I am unsure if it is possible to differentiate the doc types you mentioned using first 256 bytes of contents. Also think about zips - may it be your users will be able to pack a file into zip and get through your protection.

See https://docs.diladele.com/administrator_guide_5_1/web_filter/policies/blocking_file_downloads.html

Best regards,
Rafael

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Daniel Rieken
Sent: Tuesday, June 27, 2017 1:53 PM
To: [hidden email]
Subject: [squid-users] Block doc documents

Hello,

I would like to block my users from downloading doc- and docm-files, but not docx.

So this works fine for me:
/etc/squid3/blockExtensions.acl:
\.doc(\?.*)?$
\.docm(\?.*)?$

acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl"
http_access deny blockExtensions


But in some cases the URL doesn't contain the extension (e.g. doc).
For URLs like this the above ACL doesn't work:
- http://www.example.org/download.pl?file=wordfile
- http://www.example.org/invoice-5479657415/

Here I need to work with mime-types:
acl blockMime rep_mime_type application/msword acl blockMime rep_mime_type application/vnd.ms-word.document.macroEnabled.12
http_reply_access deny blockMime

This works fine, too. But I see a problem: The mime-type is defined on the webserver. So the badguy could configure his webserver to serve a doc-file as application/i.am.not.a.docfile and the above ACL isn't working anymore.
Is there any way to make squid block doc- and docm files based on the response-headers file-type?
Or in other words: Is squid able to match the "doc" in the Content-Disposition header of the response?

HTTP/1.0 200 OK
Date: Tue, 27 Jun 2017 11:40:57 GMT
Server: Apache Phusion_Passenger/4.0.10 mod_bwlimited/1.4
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/baddoc
Content-Disposition: attachment;
filename="gescanntes-Dokument-VPPAW-072-JCD3032.doc"
Content-Transfer-Encoding: binary
X-Powered-By: PHP/5.3.29
Connection: close


Regards, Daniel
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Block doc documents

Amos Jeffries
Administrator
In reply to this post by Daniel Rieken
On 27/06/17 23:53, Daniel Rieken wrote:

> Hello,
>
> I would like to block my users from downloading doc- and docm-files,
> but not docx.
>
> So this works fine for me:
> /etc/squid3/blockExtensions.acl:
> \.doc(\?.*)?$
> \.docm(\?.*)?$
>
> acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl"
> http_access deny blockExtensions
>
>
> But in some cases the URL doesn't contain the extension (e.g. doc).
> For URLs like this the above ACL doesn't work:
> - http://www.example.org/download.pl?file=wordfile
> - http://www.example.org/invoice-5479657415/
>
> Here I need to work with mime-types:
> acl blockMime rep_mime_type application/msword
> acl blockMime rep_mime_type application/vnd.ms-word.document.macroEnabled.12
> http_reply_access deny blockMime
>
> This works fine, too. But I see a problem: The mime-type is defined on
> the webserver. So the badguy could configure his webserver to serve a
> doc-file as application/i.am.not.a.docfile and the above ACL isn't
> working anymore.


HTTP contains no concept of "file". That is a human concept. All of what
you mention above are the consequences of that difference.

I recommend you drop this concept of "file" from your thinking and
concentrate on detecting what HTTP details represent a bad HTTP message.
The "file" related things should be dealt with at other layers by other
software like AV scanning or as Brendan suggested ICAP payload scanners.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...