Dec 08
How to Whitelist URLs using fingerprinting
IPS, Tech dives - 
(1 votes, average: 4.00 out of 5)
Loading ...
Add comments
(1 votes, average: 4.00 out of 5) Loading ...This quick note allows you to:
- Define the following fingerprint situations that matches to ALL other URLs but the listed ones.
- Add new inspection rule which defines which IP addresses group are allowed to access to defined URLs. All other combinations are terminated.
Note! Variable names must be unigue in each fingerprint that are matched in a same context!
E.g. ‘whitelisted_url_1′, ‘whitelisted_url_2′
- Create one situation, called whitelist1, structured as follows:
Context: HTTP Client Stream
RegExp:
(?x)
.*Host:(?>[^\n]*yle.fi(?{whitelisted_url_1=1,ignore}))|
.*Host:(?>[^\n]*mtv3.fi(?{whitelisted_url_1=1,ignore}))|
.*Host:(?>[^\n]*hs.fi(?{whitelisted_url_1=1,ignore}))|
.*Host:(?>[^\n]*cnn.com(?{whitelisted_url_1=1,ignore}))|
.*Host:(?>[^\n]*bbc.com(?{whitelisted_url_1=1,ignore}))|
.*\n\n(?{whitelisted_url_1==0})|
.*\r\n\r\n(?{whitelisted_url_1==0}) - Create another situation, called whitelist2, structured as follows:
Context: HTTP Client Stream
RegExp:
(?x)
.*Host:(?>[^\n]*sampo.fi(?{whitelisted_url_2=1,ignore}))|
.*Host:(?>[^\n]*op.fi(?{whitelisted_url_2=1,ignore}))|
.*Host:(?>[^\n]*norndea.fi(?{whitelisted_url_2=1,ignore}))|
.*Host:(?>[^\n]*stonesoft.com(?{whitelisted_url_2=1,ignore}))|
.*\n\n(?{whitelisted_url_2==0})|
.*\r\n\r\n(?{whitelisted_url_2==0}) - Create two groups of machines, called Group1 and Group2.
- Create an Access rule (and if needed a NAT rule for FW) to allow HTTP with deep inspection ON for both groups Group1 and Group2.
- Create two separate inspection rules as follows:
Situation Source Dest Protocol Action
whitelist1 Group1 ANY ANY Terminate
whitelist2 Group2 ANY ANY Terminate - Install policy
5 Responses to “How to Whitelist URLs using fingerprinting”
Leave a Reply
You must be logged in to post a comment.
December 12th, 2008 at 12:05 pm
A good example of how flexible the SG IPS regular expressions are.
I would like to mention that we also have URL filtering capabilities at the firewall. They were there all the time and in 4.2 they were even simplified (with the new “HTTP URL filter” context). Now one can create a blacklist in a couple of minutes.
There are pros and cons of different methods.
FW URL filtering pros:
1) simplified configuration;
2) built-in into the FW;
3) easy blacklists for URLs
4) full support for IPS capabilities in HTTP streams.
FW URL filtering cons:
1) limited number of records (about 10 per situation);
2) only URL blacklisting possible with “simplified” config;
The kind of filtering described above (and possible in the FW/IPS) has some powerful advantages:
1) unlimitied number of URLs;
2) whitelisting possible (not only blacklisting);
The only drawback is of course the necessity to read the IPS reference guide on details of fingerprint creation
September 28th, 2009 at 6:54 pm
I’m very interested in whitelisting, but the code provides above does not work for me. Version 5.0.2 says syntax error.
November 2nd, 2009 at 6:06 pm
This code doesn’t work for me too.
there is a “(” problem.
November 17th, 2009 at 1:12 pm
Corrected. Should work now.
February 23rd, 2010 at 5:26 pm
The sample doesn’t work, the foloowing code it’s ok for me,
RegExp:
(?x)
.*Host:(?>[^\n]*sampo.fi(?{whitelisted_url_2=1,ignore})|
.*Host:(?>[^\n]*op.fi(?{whitelisted_url_2=1,ignore})|
.*Host:(?>[^\n]*norndea.fi(?{whitelisted_url_2=1,ignore})|
.*Host:(?>[^\n]*stonesoft.com(?{whitelisted_url_2=1,ignore})|
.*\n\n(?{whitelisted_url_2==0})|
.*\r\n\r\n(?{whitelisted_url_2==0})